SOLUTION 1: newgrp
A simple way to address your use case would be to use :NOPASSWD
in combination with a group and group passwd:
Add a line to sudoers:
%rudo ALL=(ALL:ALL) NOPASSWD:ALL
Create a passwd protected group:
groupadd rudo
gpasswd rudo # Enter passwd
Now when you login as an unprivileged user (assuming your not already in the rudo
group), login to the rudo
group, at which point you'll be prompted for the password.
login user
newgrp rudo
Now you can run sudo
password-less, so long as you remain logged in to the group.
SOLUTION 2: runaspw
A better, possibly more secure way to do this uses runaspw
. runaspw
is associated with the runas_default
option so you have to add that option too.
Assuming you already have the default %sudo
group entry:
%sudo ALL=(ALL:ALL) ALL
add these lines to sudoers file:
Defaults:%sudo runas_default=sudo
Defaults:%sudo runaspw
Now add a new sudo
user with a password:
useradd sudo -d /nonexistent -s /usr/sbin/nologin -MNr
passwd sudo
Now sudo group users will be prompted for sudo user's passwd but only users in the sudo group will be able to sudo (unlike with the group solution above, where anyone in the group or with the group passwd could sudo).
A minor issue is the default runas user is now sudo
so to sudo as root you need to explicitly specify root:
sudo -u root <cmd>
But easy enough to define an alias (alias sudo='sudo -u root'
) or indirect sudo command.
1Can you elaborate on this -- why do you want to do this? – Doug Harris – 2012-05-10T17:48:26.533
1I feel the question explains itself well enough, but the goal is to make login secure via lengthy, difficult passwords and then to use a different password for sudo access, so that compromising a user's account does not automatically provide sudo access. – Richard – 2012-05-10T17:52:18.593
I've heard it's possible to do sudo through rsa/dsa keys, which can have any passphrase you want. – Rob – 2012-05-10T18:37:01.850