Joe Maller.com

Vagrant NFS Shares without a password

Since I switched a few months ago, Vagrant has been humming along nicely, spinning up trim little Ansible-provisioned Ubuntu boxes as needed. Since I’m using Virtual Box as the provider and shared folders barely work with more than a handful of files, my active projects are made available as NFS share points. Running on OS X, Vagrant’s NFS shares are configured by modifying /etc/exports, and unfortunately, that requires administrator privileges and a password prompt.

Thankfully someone shared a workaround shell script which tweaked sudoers so vagrant up no longer required a password. It worked perfectly, until recently.

With the release of Vagrant 1.3, the NFS password prompt was back. The modified sudoers commands no longer worked.

Updating sudoers

All sudo commands are logged, so figuring out what changed was just a slightly clumsy matter of checking the logs with Vagrant 1.2.7, then installing Vagrant 1.3.x and looking for changes. This was a lot more effective than trying to step through the diffs of the Ruby code to reconstruct the various commands.

In previous versions of Vagrant whitelisting these commands allows editing of /etc/exports without a password:

/usr/bin/su root -c echo '*' >> /etc/exports
/usr/bin/sed -e /*/ d -ibak /etc/exports

In Vagrant 1.3.x, those commands were updated:

/bin/bash -c echo '*' >> /etc/exports
/usr/bin/sed -E -e /*/ d -ibak /etc/exports

Based on the original shell script, here is the block that needs to be added to /etc/sudoers for password-free startup with NFS shares:

Cmnd_Alias VAGRANT_EXPORTS_ADD = /bin/bash -c echo '*' >> /etc/exports
Cmnd_Alias VAGRANT_NFSD = /sbin/nfsd restart
Cmnd_Alias VAGRANT_EXPORTS_REMOVE = /usr/bin/sed -E -e /*/ d -ibak /etc/exports
%staff ALL=(root) NOPASSWD: VAGRANT_EXPORTS_ADD, VAGRANT_NFSD, VAGRANT_EXPORTS_REMOVE

I also posted an updated fork of the original workaround, install_vagrant_sudoers.sh:


  • Zaid Daba’een

    Note for the ones who like to copy and paste:
    If you are not working on a Mac, change %staff to the group name of your user’s group.