TechEarl

How to Set Up Passwordless sudo (NOPASSWD)

Configure NOPASSWD in a sudoers drop-in for a user or a specific command, the security trade-offs, and how to scope it tightly so it is not a free root shell.

Ishan Karunaratne⏱️ 4 min readUpdated
Share thisCopied
Configure passwordless sudo with NOPASSWD in a sudoers drop-in, the security trade-offs, and how to scope it to specific commands.

Passwordless sudo is useful for automation (CI runners, deploy scripts, cron) where there is no human to type a password. It is configured with the NOPASSWD tag in a sudoers drop-in, edited through visudo:

bash
sudo visudo -f /etc/sudoers.d/deploy

Scope it to specific commands (do this)

The safe pattern is NOPASSWD on exactly the commands the automation runs, never a blanket grant:

code
# /etc/sudoers.d/deploy
deploy ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart myapp, /usr/bin/systemctl status myapp

Now sudo systemctl restart myapp runs without a prompt, but the account still cannot become root or run anything else without a password. Use absolute paths so a planted binary earlier on PATH cannot satisfy the rule.

The blanket grant (understand the cost)

code
# Convenient and dangerous: full root, no password, ever
deploy ALL=(ALL) NOPASSWD: ALL

This makes deploy equivalent to passwordless root. Anyone who lands a shell as deploy (a leaked CI token, a compromised key, a web shell running as that user) is instantly root, with no password to slow them down. Only accept this on disposable machines, or where the account is already as trusted as root and tightly isolated.

A safer middle ground for humans

If the goal is just to stop re-typing your password every few minutes, you do not need NOPASSWD at all. Raise the re-prompt timeout instead:

code
# /etc/sudoers.d/timeout
Defaults timestamp_timeout=60

That caches your sudo authentication for 60 minutes per terminal, so you type the password once an hour rather than once every few minutes, without ever granting password-free root. For most people this is the right answer, and NOPASSWD is reserved for genuine automation.

Verify the rule

bash
sudo -lU deploy        # shows which commands are NOPASSWD for deploy

The output marks the entries that do not require a password, so you can confirm the scope is exactly what you intended.

FAQ

See also

Sources

Authoritative references this article was fact-checked against.

TagsLinuxsudosudoersNOPASSWDSecurityAutomation

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

WordPress

How to Change a WordPress Password

Four reliable ways to change a WordPress password: admin dashboard, WP-CLI, directly in the database with the correct phpass or bcrypt hash, and the lost-password email reset.