sudo with NOPASSWD not working

I run a few scripts as normal use with commands which normally require root privileges. To avoid having to enter the root password in the scripts I use the sudo command with an entry in the /etc/sudoers file like that (here in Bold):

## User privilege specification
root ALL=(ALL) ALL

**uli ALL=(ALL) NOPASSWD: /bin/mount, /bin/umount, /usr/local/bin/protonvpn**

## Uncomment to allow members of group wheel to execute any command

Up to now this always worked without any problems but now I always get asked for the root password. Has there anything changed?

uli@linux-4skc:~/bin> sudo protonvpn c --cc DE
[sudo] password for root: 
uli@linux-4skc:~/bin> ^C

it still work for me … I suspect a problem within the sudoers file config. do you have any other permissions made to a group uli would be member or the uli user in the sudoers file ?
can you show the full sudoers file and any file in /etc/sudoers.d directory ?

That’s very strange!


Thank you, PerfMonk, the rest of the sudoers file was never touched and there is no other file in /etc/sudoers.d:

linux-4skc:~ # cd /etc/sudoers.d/
linux-4skc:/etc/sudoers.d # ls
linux-4skc:/etc/sudoers.d # cat ../sudoers
## sudoers file.
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
## See the sudoers man page for the details on how to write a sudoers file.

## Host alias specification
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias    WEBSERVERS = www1, www2, www3

## User alias specification
## Groups of users.  These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias    ADMINS = millert, dowdy, mikef

## Cmnd alias specification
## Groups of commands.  Often used to group related commands together.
# Cmnd_Alias    PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
#                           /usr/bin/pkill, /usr/bin/top
# Cmnd_Alias    REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff

## Defaults specification
## Prevent environment variables from influencing programs in an
## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
Defaults always_set_home
## Path that will be used for every command run from sudo
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults env_reset
## Change env_reset to !env_reset in previous line to keep all environment variables
## Following list will no longer be nevessary after this change
## Comment out the preceding line and uncomment the following one if you need
## to use special input methods. This may allow users to compromise the root
## account if they are allowed to run commands without authentication.

## Do not insult users when they enter an incorrect password.
Defaults !insults

## Uncomment to use a hard-coded PATH instead of the user's to find commands
# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
## Uncomment to send mail if the user does not enter the correct password.
# Defaults mail_badpass
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output

## In the default (unconfigured) configuration, sudo asks for the root password.
## This allows use of an ordinary user account for administration of a freshly
## installed system. When configuring sudo, delete the two
## following lines:
Defaults targetpw   # ask for the password of the target user i.e. root
ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!

## Runas alias specification

## User privilege specification
root ALL=(ALL) ALL

#uli ALL=(ALL) NOPASSWD:/bin/mount,/bin/umount,/usr/local/bin/protonvpn

uli linux-4skc=NOPASSWD:/bin/mount,/bin/umount,/usr/local/bin/protonvpn

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password

## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
linux-4skc:/etc/sudoers.d #

As you can see I have played around a bit with different options, so far no success. The mount/umount is to mount the NAS for backups (not very regularly). I have the same line in the sudoers file on my Leap computers (with mount/unmount - not protonvpn). Have to check whether it still works there.

OK, the normal mount command works with sudo - the problem is the openvpn command:

uli@linux-4skc:~/bin> sudo mount -t nfs /home/uli/ulimnt
Created symlink /run/systemd/system/ → /usr/lib/systemd/system/rpc-statd.service.
uli@linux-4skc:~/bin> sudo protonvpn c --cc DE
[sudo] password for root: 

So as root the openvpn command is no problem:

uli@linux-4skc:~/bin> su -
linux-4skc:~ # protonvpn c --cc DE
Connecting to DE#33 via UDP...
linux-4skc:~ # protonvpn d
linux-4skc:~ #

What has “openvpn” to do with it?

uli@linux-4skc:~/bin> sudo protonvpn c --cc DE
[sudo] password for root: 

First you say “openvpn” and then you show “protonvpn” command.

Sorry, arvidjaar, I meant protonvpn (which is based on openvpn). My mistake. So now I have to find out why protonvpn works without problem when I use it as root but not with the sudo command before.

Just use a systemd service?

Thanks for the link, malcolmlewis, but then I would need to have a sudo NOPASSWD set-up for systemd. What I want to do is have an icon on the desktop which activates protonVPN so that people without knowledge of the commandline (like my wife) can activate the VPN. In the command (or script) behind the icon should not be the root password anywhere - hence the setup with sudo and NOPASSWD. I have seen the sudoers line “user ALL = (root) NOPASSWD: /usr/local/bin/protonvpn” (which has (root) instead of (ALL) in and I will try this later.

I don’t use vpn, but would imagine a policy kit rule, run the systemd service as your user (which as far as I can tell, this is what the user suggest), activate it at boot (which the service does).

I see no reason why it needs to be run as root, seems it should run as a user process…

THat does not work either - still asks for root password. I must admit I expected this result since the line “root ALL=(ALL) ALL” in the sudoers file indicates that there is no difference between (ALL) and (root).

In the link you send me there is the following:
Enable and start the service sudo systemctl enable protonvpn.service
sudo systemctl start protonvpn.service

The VPN should not start at boot but only when required. So far from command line as root it is no problem and I used it for quite some time. THe attempt to make it easy to use is the problem…

So don’t enable? Allow the user to restart the service;

username ALL = NOPASSWD: /usr/bin/systemctl restart protonvpn.service

I must admit that I don’t quite understand what this script does (or how the systemd services are set up and work). I presume if I follow the instructions the protonvpn service would start at boot (at least when they are enabled). That would mean if I don’t want it to start at boot every time this service needs to be disabled. Then I would need the first line in the sudoers file to enable the service, a second line to start the service and a third line to stop the service. The alternative would be to allow all sytemctl command with sudo and without password and I don’t want to allow that. The second question is whether your line works at all with the command, the option and the service in one line in the sudoers file (may be with quotation marks because of the spaces, etc. You know much more about all of these things but for me it looks that it would be easier to try to find the solution to the single line to enable “sudoprotonvpn” with NOPASSWD.

I’m not a ProtonVPN customer, so I downloaded it for assistance purposes only. Are you sure you have the path correct?

For reference I get

~> which protonvpn

Yes, correct separate lines, then you can create an alias for the command?

For example;

alias vpnon='sudo /usr/bin/systemctl restart protonvpn.service'

Or a desktop entry (or a start/stop widget?) or just run the command…


and make sure you have the correct path defined.

Ahh there is a policy kit option :wink: Good find!

Yes deano_ferrari, I have used the which command to make sure the path is correct:

uli@linux-4skc:~> which protonvpn

And thanks for the link I will have a closer look now!

By default sudo on openSUSE sets secure_path, which means sudo may find command in different place than your interactive shell.

So I installed the protonVPN GUI and there is first have to log into my protonVPN account and afterwards it asks for the root password. I added the following line in /etc/sudoers:

uli ALL=(root) NOPASSWD: /usr/local/bin/protonvpn-gui

but I am still asked for the root password. THen I came across the following:

uli@linux-4skc:~> sudo which protonvpn
[sudo] password for root: 
which: no protonvpn in (/usr/sbin:/usr/bin:/sbin:/bin)
uli@linux-4skc:~> su -
linux-4skc:~ # which protonvpn
linux-4skc:~ # 

Here it looks as if the sudo command looks onlyu in the path /usr/sbin:/usr/bin:/sbin:/bin and nowhere else. How come? That explains why I am asked for the root password and why the mounting/unmounting command works with sudo. Is that what you want to tell me arvidjaar, that I have ton set “secure_path” to include /usr/local/bin/?