Configure sudo to ask for root password

Question

Is it possibile to configure sudo to ask for root password instead of user password?

The server is configured with a root user and a simple user (let's call him simple) with limited privileges, used to deploy all the applications hosted on the server. The user simple is not in the sudoers list thus

$ sudo command

won't work because simple's password can't grant him root privileges.

Occasionally I need to run some scripts which need root access via Capistrano (a ruby deployment tool) and it's quite difficult to code a script in order to login as root, run the script, then logout. I'd like to be able to execute the following statement

$ sudo god restart tasks-group

and have Capistrano to prompt me for root password. Currently, Capistrano prompts for deployment user password which is, obviously, a non admin account.

score 11 · Accepted Answer · answered Jan 18 '10 at 22:39

I think you're trying to make sudo work in a way that it is not ment to - you don't want to add the 'simple' user to the sudoers file (please correct me if i'm wrong).

In that case sudo isn't the tool you want to use you want to issue su -c <command> this will prompt for the root password, execute the command, then exit.

score 4 · Answer 2 · answered Jan 18 '10 at 21:30

4

There's a flag to be set in the sudoers file if you want the user to authenticate via his own password, or via root's. The flag is called rootpw. Sudo is a very powerfull package, be sure to check the man page about sudoers(5).

answered Jan 18 '10 at 21:30

pfo

5,630
23
36

2

See also information in `man sudoers` regarding `targetpw` and Runas. – Dennis Williamson Jan 18 '10 at 23:38

score 3 · Answer 3 · answered Jan 18 '10 at 21:05

3

No. Use su to become root using the root password.

The better solution is probably to have capistrano use sudo on the deployment machine for tasks that need root access.

answered Jan 18 '10 at 21:05

Jakob Borg

1,453
1
10
13

This requires the user to be included in the sudoers list. I wanted to avoid this configuration because the user can login from ssh. – Simone Carletti Jan 18 '10 at 21:17
3

But on the other hand you can add just the relevant commands to sudoers, thus limiting what the non-admin user can do. I think that this, on the whole, is more secure than involving the actual root password. – Jakob Borg Jan 18 '10 at 21:28

score 0 · Answer 4 · answered Jan 18 '10 at 21:04

0

If the deployment user is allowed to sudo, then at that point it does become a privileged account that can act in an administrative fashion. That's the purpose of sudo. Or am I misreading the question?

answered Jan 18 '10 at 21:04

squillman

37,618
10
90
145

This is the point. The deployment user is not in the sudoers list. – Simone Carletti Jan 18 '10 at 21:16
Ok. You might want to edit that into your question, then. Sorry, was't clear (at least to me). – squillman Jan 18 '10 at 21:22
Updated. Sorry for the misunderstanding. – Simone Carletti Jan 18 '10 at 21:25

Configure sudo to ask for root password

4 Answers4