How do I make sudo ask for the root password?

26

9

When I run sudo as a normal unprivileged user, it asks for my password, not the root password. That's often convenient, but it reduces the amount of information someone would have to have in order to run commands as root. So how can I make sudo ask for the root password instead of the invoking user's password?

I know it'd be done with a line in /etc/sudoers, but I can never seem to properly parse the BNF grammar in the man page to figure out exactly what to write.

David Z

Posted 2010-07-09T04:38:21.653

Reputation: 5 688

I recommend you restrict the commands that are permissible as the non-root user so that you need not worry about exposing arbitrary commands. – Slartibartfast – 2010-07-09T05:02:22.983

@slartibartfast: but then what happens when I need to run a command as root that is not in the preapproved list? – David Z – 2010-07-09T05:46:42.067

Answers

26

Ok, here it is again so you can set the checkmark.

In /etc/sudoers, add this line:

Defaults rootpw

to turn on the rootpw flag, making sudo ask for the root password.

Florian Diesch

Posted 2010-07-09T04:38:21.653

Reputation: 3 380

7

You should always use the visudo command instead of manually editing the /etc/sudoers file. visudo validates the file to make sure it's correct before saving, so you don't get locked out of sudo if you make a syntax error... http://askubuntu.com/a/81054/166411

– Colin D Bennett – 2013-11-26T21:22:03.310

6

You need to turn the rootpw flag on.

Ignacio Vazquez-Abrams

Posted 2010-07-09T04:38:21.653

Reputation: 100 516

1As I said, I haven't been able to work through the BNF notation in the man page - so what line would I insert into /etc/sudoers to enable this flag? – David Z – 2010-07-09T05:48:10.987

3Defaults rootpw – Florian Diesch – 2010-07-09T09:57:45.647

1@Florian: whaddya know, it's that easy :-) If you post that as an answer you get the checkmark. – David Z – 2010-07-09T20:11:50.453

3

I know this question is old, but it is the most concise question I've found for this use case (which is a minor percentage, true, but nonetheless legitimate and helpful in the right scenario).

After putting all the steps together from various sources - including multiple answers to this question, these steps work on Ubuntu-Gnome 16.04 LTS:

  1. Set a password for root
    • This is CRITICAL to do FIRST! (Ubuntu automatically has no password for the ROOT user due to the standard security configuration.
    • If you do not do this first, you will lock yourself out from accessing root privileges. This can be overcome by booting in with a Live Disk, mounting the hard drive, and editing the sudoers file, but it's best to avoid that.
    • Open a terminal and enter: sudo passwd
    • Set your new password for the ROOT user.
  2. Change the SUDO configuration to require the root password
    • SUDO requires the user requesting root privileges
    • Setting the "rootpw" flag instead tells SUDO to require the password for the root user.
    • Open a terminal and enter: sudo visudo
    • This will open the "/etc/sudoers" file
    • After the other "Defaults" line, add: Defaults rootpw
    • Save it (assuming you are in nano, which is the default, this is CTRL+O)
    • Close the file (CTRL+X) & exit the terminal
  3. You're done!

Just a quick note - I also wanted to make sure that the root user couldn't be used to login from the graphical login, and so was looking into ways to excluded. Apparently, the root user is excluded by default, and cannot be used to login through the Gnome graphical login - which is a very good thing!

SRDC

Posted 2010-07-09T04:38:21.653

Reputation: 148

Could you suggest improvements to reverse a downvote? – SRDC – 2016-11-09T16:05:31.720

Doesn't seem to be wrong. – Ruslan – 2017-03-08T13:30:18.250

1Possibly because a simple (and working) config of: root ALL=(ALL) ALL Defaults targetpw ALL ALL=(ALL) ALL Allows root sudo for every user that knows the root password. Naively changing the last two lines to your solution Defaults rootpw causes a lockout from sudo. You also need to add your user to sudoers like so: myusername ALL=(ALL) ALL or give similar privileges to a group and then add myusername to that group. – Paul Parker – 2019-04-05T04:12:38.717

2

A common configuration that requires the password of the target (not what we want):

Defaults targetpw
ALL ALL=(ALL) ALL

The second line would read out loud like: "ALL users on ALL hosts can impersonate (ALL) users when executing ALL commands." and the Defaults targetpw means that they need to know the password of the user they are impersonating to do so.

Naively changing this simple config to:

Defaults rootpw

wouldn't leave any user or group with the privilege to run commands as another user.

One working possibility would be:

Defaults rootpw
myuser ALL=(ALL) ALL

In plain English, myuser now has the ability to run ALL commands as any user on ALL hosts, so long as the root password is known.

Another working possibility would be:

Defaults rootpw
%sudousers ALL=(ALL) ALL

Any member of the sudousers group will have the ability to run ALL commands as any user on ALL hosts, so long as the root password is known. To allow myuser to run sudo commands, sudousers would need to be added to its secondary groups.

su
usermod -a -G sudousers myuser
exit

Paul Parker

Posted 2010-07-09T04:38:21.653

Reputation: 121

Great explanation. More detailed than the step-by-step I posted (which worked based on Ubuntu defaults). – SRDC – 2019-06-08T03:18:14.173

0

You could just turn off sudo and use su -c.

Nitrodist

Posted 2010-07-09T04:38:21.653

Reputation: 1 488

Inconvenient because I have to enter my password every time I run it. The use case here is having to run multiple commands as root in quick succession. – David Z – 2010-07-09T05:45:25.643

-1

Using

sudo su

will let you run as many commands as you want in succession.

user33460

Posted 2010-07-09T04:38:21.653

Reputation:

2Good idea, but unless I change sudo to prompt for the root password, this would still allow someone to gain root access by presenting only one password (not root's). So it doesn't really address the security concern that prompted my question. – David Z – 2010-07-09T20:14:49.840

Instead of using sudo's capacity to limit access by user you are exposing your root password to a number of users. You are also removing the capability of securing your server by removing the password from root. – BillThor – 2010-07-10T02:53:34.180

Asked: 2010-07-09T04:38:21.653

Viewed: 40 875 times

Active: 2019-04-05T04:58:00.057