2

Background

I have a long bash script which setup a large environment of interconnected software, taking several hours to complete. A few of the tasks it performs need to be run as root, for which I use sudo .... The whole process is then paused until the user notices and types in the root password. I seek some way for the user to type in the root password only at the beginning of the script, and then automatically supply it when required by sudo later.

My thoughts on possible (bad) solutions

I could store the password directly in a variable and then supply it using 

echo "${root_password}" | sudo -S ...

but something tells me that this is bad practice.

Another workaround would be to force the user to run the entire script as root, but wouldn't that lead to different permissions for all of the files generated without the use of sudo?

Improve this question
7
  • 1
    You can use sudo inside the script as well to switch back to the original user for the commands that, for example, should create a non-root owned file. You are correct that storing the root password is a bad idea. Another possibility is to configure sudo to allow the user to run your script (or just the commands inside your script that require root permissions) without a password. A lot of this just requires careful thought about how the script is designed. Commented Mar 30, 2018 at 14:58
  • 1
    For example, can you isolate all the commands (and only those commands) that require root to a separate subscript, then run that with sudo? Commented Mar 30, 2018 at 15:01
  • @chepner Sounds good. How do I use sudo to change back to the user from the root? Commented Mar 30, 2018 at 15:03
  • The simple answer is sudo -u <origuser> ... inside the script. However, I thought there was a way to get the original user's identity from inside the script, and that assumption appears to be mistaken. The only answer I could give right now is to invoke the script using something like sudo script "$USER" ..., so that the script has the identity of the user it should downgrade as an argument. Commented Mar 30, 2018 at 17:12
  • @chepner If nothing else, I can make the script call itself with the sudo script $USER signature, if called without arguments. The real problem is that I not have to prepend sudo -u <origuser> to every command (except the few that requires root privileges)! I have tried placing a bunch of commands in a subshell or a function, but then sudo won't accept it... Commented Mar 30, 2018 at 17:22

2 Answers 2

Reset to default
1

You can prompt it at the start of your script, so it is not plain text hard saved.

Example:

#!/bin/bash
read -s -p "[sudo] sudo password for $(whoami): " pass
echo $pass | sudo -S apt-get update

help read:

-r do not allow backslashes to escape any characters

-s do not echo input coming from a terminal

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Indeed this is what I have right now. I'm unsure of whether the content of $pass can somehow be extracted by other users on the machine, or by looking through the bash history later, or whatnot.
you can always have a NOPASSWD within sudoers.d on this specific script, so the user will not be asked to provide their password since it is automatically accepted?
1

I suggest you figure out all of the commands you need the script to run using SUDO, ensure the script is run by a special unprivileged user (e.g. scriptuser), and then edit /etc/sudoers to permit scriptuser to run those commands with NOPASSWD

As an example:

scriptuser ALL = NOPASSWD: /bin/kill, /usr/bin/othercommand, etc.

If you know the complete commands, including arguments, that's ideal (it means that an attacker that compromises the scriptuser account can only run those specific commands as root)

Sudo has a lot of options configurable in /etc/sudoers. If you man sudoers , you should see all of them. Forewarning: This man page is very hard to understand. Find examples. Test them. Ask on StackExchange.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.