How can I use sudo programmatically? I.e. integrate sudo into my GUI

Question

I'm writing a program which temporarily needs root the first time it is run to perform a configuration change (create a file in /etc).

How can I temporarily gain root, by asking the user for their password in a graphical dialog box?

The program uses Qt and I am reasonably happy if it only works on Ubuntu, but I don't want to assume that they have gksudo or whatever installed. I also cannot use SUID.

The only thing I can think of is providing my own password dialog, and feeding that to the command line sudo binary via system() (or one of its less insecure cousins).

That seems pretty hacky though - command-line front-ends are generally an awful awful idea and should be avoided at all costs. So is there a better way? Perhaps there is a libsudo, or some method using IPC?

NB: This is not a duplicate. Or at least, the answers there do not treat it as the question I am asking.

score 2 · Answer 1 · answered Mar 02 '13 at 00:36

2

From man sudo:

   -A          Normally, if sudo requires a password, it will read it from the
               user's terminal.  If the -A (askpass) option is specified, a
               (possibly graphical) helper program is executed to read the user's
               password and output the password to the standard output.  If the
               SUDO_ASKPASS environment variable is set, it specifies the path to
               the helper program.  Otherwise, if /etc/sudo.conf contains a line
               specifying the askpass program, that value will be used.  For
               example:

                   # Path to askpass helper program
                   Path askpass /usr/X11R6/bin/ssh-askpass

               If no askpass program is available, sudo will exit with an error.

Either you use ssh-askpass which is installed on many systems or you write your own password prompt command which you then supply to sudo. This is still a bit twiddly, however you don't have to worry much about communicating the password to sudo.

answered Mar 02 '13 at 00:36

nemo

55,207
13
135
135

Yeah I guess that is a reasonable solution. Still very hacky though, and it means I can't distribute my program as a single binary. – Timmmm Mar 02 '13 at 00:38
1

Well, technically you could be the askpass executable yourself and check if sudo is the caller, then change the behaviour of your program so it acts as a askpass program. Alternatively you could use some sort of packed binary. – nemo Mar 02 '13 at 02:23
1

There might be an issue with sudo -A: it may clear the sudo timeout causing SUDO_ASKPASS program to be launched for each sudo call in your script. See [Graphically ask for password in a bash script and retain default sudo timeout setting.](http://unix.stackexchange.com/q/81181/1321) – jfs Sep 18 '14 at 04:55
I want to write an askpass program for sudo on Ubuntu that supplies the password for the current user from libsecret. I can find no documentation that explains how this might be done. Is this program a standalone program? How does it supply the results to sudo? Are there any other interface requirements that must be met? These are examples of the type of question that I face and that I can find no documentation for. Is it necessary to examine the source code for sudo to get answers to these questions? – Jonathan May 10 '20 at 18:44

How can I use sudo programmatically? I.e. integrate sudo into my GUI

1 Answers1