[PureParadigm]

For my accounts I usually just allow sudo to work without prompting for password by using the NOPASSWD configuration option. This saves a lot of time if you need to use sudo frequently (in my case I use it for system upgrades).

Unless I'm missing something, the security cost of this should be negligible, especially if you're in the habit of locking your computer screen when you're not using it (and this typically happens by default after a few minutes even if you forget). And if you're relying on the sudo password prompt to protect you against untrusted scripts, I'd argue you have bigger problems.

[toxik]

This is absolutely terrible advice!

[PureParadigm]

Can you explain why? I'm genuinely curious in case I've missed something!

[madjam002]

I'm guessing they meant because malware can now run commands as root without prompting for a password, however I'd argue that if you have malware running as your user in the first place then that will likely be more damaging to you than it getting root and modifying your system, as it will be able to access browser session cookies, personal documents, etc.

Personally I don't have passwordless sudo but I'm also curious as to what the attack vector might be here if you were to enable it.

[azon]

If a virus/malware was running on your system as your user, it now has root access to your machine by doing nothing more than accessing the shell.

[PureParadigm]

The virus/malware could change your $PATH or create an alias for some command that normally prompts you for your password (even sudo itself) and trick you into revealing your password to the malware. Maybe even install a keylogger depending on your OS.

Basically, if you have malware running as your own user, I'd be surprised if it couldn't find a way to trick you into typing your password to invoke sudo. Even then, it can probably do quite a bit of damage without sudo.

So then the only scenario a sudo password could possibly save me from is when I have malware already running as my user (and it's unlikely that it would help anyway due to the tricks I just mentioned). Of course everyone should do what they think is best, but personally if I were in this scenario it's pretty much game over anyway, so it's not something I'm going to worry about.