Editing sudoers file still asks for password

Question

I'm trying to have a python script access GPIO pins on an Odroid XU4, which requires sudo. I want to simply blink a GPIO pin from off to on, then back off again. The python script is fine, but it asks for a password when I run it.

I've edited my sudoers file using visudo to not require passwords, for GPIO access. From previous blogs I've found that the order of the sudoers directives are important and have taken that into consideration. My current sudoers file is as follows:

Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
username ALL=NOPASSWD: /sys/class/gpio/export
username ALL=NOPASSWD: /sys/class/gpio/gpio174/direction
username ALL=NOPASSWD: /sys/class/gpio/gpio174/value

Why am I still being prompted to enter a password when trying to access the GPIO pin 174? I've added the NOPASSWD directives after the %admin and %sudo lines just as other posts have suggested.

Answer 1

/sys/class/gpio/export (and the others) are pseudo-files, not a program. Sudo works on limiting access to programs, not files.

I'd suggest looking at https://serverfault.com/questions/641483/how-to-grant-user-modify-only-specific-protected-file-by-sudo (or more specifically, there should be a way to use extended permissions to grant access to a user to the 3 sys files you care about in a way that doesn't require root.

Alternatively, and this is probably easier, you could do username ALL=NOPASSWD: /usr/bin/blinkscript

(where /usr/bin/blinkscript is your python program with the #!/usr/bin/python and permissions set so username cannot overwrite the file etc.)

Specific demonstration for clarity: Given a file blinkscript that consists of:

#!/usr/bin/python
print ("Hello World")

which is put in /usr/bin, owned by root, with permissions 700 (as in doing ls -l /usr/bin/blinkscript comes back with something like:

-rwx------. 1 root root 40 Apr 8 19:52 /usr/bin/blinkscript

)

and then having a line toward the bottom of your sudoers file of the form:

user1 ALL=NOPASSWD: /usr/bin/blinkscript

If I, as user1 do: blinkscript I get: "permission denied"

If I, as user1 do: sudo blinkscript I get: "Hello World" (without being prompted for a password) (Note that I do not have to explicitly do /usr/bin/blinkscript, but that also works)

If I as user2 (who doesn't have any sudo privs) do: sudo blinkscript I get prompted for a password and then put on the bad boy list

(Also note that I used permissions of 700 to clearly show the permissions; doing something like 755 would also be fine and the point would be that if your script tried to touch the /sys files, it would work when run with sudo and not without; the point I was trying to make is that if you make the permissions 777 or owned by user1, then user1 could edit the file to run whatever commands they wanted, defeating the purpose of not just doing user1 all=all nopasswd: all in the first place )