TechEarl

How to Set Up Passwordless sudo (NOPASSWD)

Configure NOPASSWD in a sudoers drop-in for a user or a specific command, the security trade-offs, and how to scope it tightly so it is not a free root shell.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Configure passwordless sudo with NOPASSWD in a sudoers drop-in, the security trade-offs, and how to scope it to specific commands.

Passwordless sudo is useful for automation (CI runners, deploy scripts, cron) where there is no human to type a password. It is configured with the NOPASSWD tag in a sudoers drop-in, edited through visudo:

bash
sudo visudo -f /etc/sudoers.d/deploy

Scope it to specific commands (do this)

The safe pattern is NOPASSWD on exactly the commands the automation runs, never a blanket grant:

code
# /etc/sudoers.d/deploy
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp, /usr/bin/systemctl status myapp

Now sudo systemctl restart myapp runs without a prompt, but the account still cannot become root or run anything else without a password. Use absolute paths so a planted binary earlier on PATH cannot satisfy the rule.

The blanket grant (understand the cost)

code
# Convenient and dangerous: full root, no password, ever
deploy ALL=(ALL) NOPASSWD: ALL

This makes deploy equivalent to passwordless root. Anyone who lands a shell as deploy (a leaked CI token, a compromised key, a web shell running as that user) is instantly root, with no password to slow them down. Only accept this on disposable machines, or where the account is already as trusted as root and tightly isolated.

A safer middle ground for humans

If the goal is just to stop re-typing your password every few minutes, you do not need NOPASSWD at all. Raise the re-prompt timeout instead:

code
# /etc/sudoers.d/timeout
Defaults timestamp_timeout=60

That caches your sudo authentication for 60 minutes per terminal, so you type the password once an hour rather than once every few minutes, without ever granting password-free root. For most people this is the right answer, and NOPASSWD is reserved for genuine automation.

Verify the rule

bash
sudo -lU deploy        # shows which commands are NOPASSWD for deploy

The output marks the entries that do not require a password, so you can confirm the scope is exactly what you intended.

FAQ

A blanket NOPASSWD: ALL is, because anyone who gets a shell as that user becomes root with no further barrier. Scoped to specific absolute-path commands it is much safer: the account can run only those commands as root and nothing else. Scope it as tightly as the automation allows.

Raise the timeout instead of granting NOPASSWD: add Defaults timestamp_timeout=60 via visudo. Your authentication is then cached for 60 minutes per terminal, so you type the password far less often while still never having password-free root.

Put the command, by absolute path, after the NOPASSWD tag in a drop-in: deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp. Only that command runs without a password; everything else still requires one.

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxsudosudoersNOPASSWDSecurityAutomation

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

Keep reading

Related posts

Four reliable ways to change a WordPress password: admin dashboard, WP-CLI, direct in the database, or email reset. Includes the WP 6.8+ bcrypt hash format.

How to Change a WordPress Password

Four reliable ways to change a WordPress password: admin dashboard, WP-CLI, directly in the database with the correct phpass or bcrypt hash, and the lost-password email reset.