Home

NOPASSWD

NOPASSWD is a control tag used in the sudoers policy on Unix-like systems. When applied to a user, group, or host specification, it disables the need to enter a password for the commands listed under sudo, effectively granting passwordless privileged execution for those commands.

In the sudoers file, a typical entry has the form: user host = (runas) tags: commands. The NOPASSWD

NOPASSWD does not by itself grant unlimited privileges outside the listed commands. It simply skips the password

Security considerations include the elevated risk of passwordless access if an account is compromised or if

tag
can
be
used
alongside
other
tags
or
with
a
specific
command
list.
Examples:
"alice
ALL=(ALL)
NOPASSWD:
ALL"
allows
alice
to
run
any
command
without
a
password.
"bob
ALL=(root)
NOPASSWD:
/usr/bin/systemctl"
allows
bob
to
run
systemctl
without
a
password.
Edit
sudoers
with
visudo
to
validate
syntax
before
saving.
prompt
for
those
commands;
actual
permission
depends
on
the
commands
and
the
runas
target.
On
some
systems,
a
TTY
requirement
(requiretty)
may
still
apply,
and
host
or
command
aliases
can
restrict
what
is
allowed.
mistakes
enable
broader
command
execution.
Best
practices
are
to
limit
NOPASSWD
to
a
small
set
of
safe
commands,
prefer
per-user
or
per-host
entries,
audit
uses,
and
combine
with
other
controls
such
as
time
limits,
session
logging,
or
privileged
access
management
where
appropriate.