2

I've got some commands I need to be able to script that require using sudo with the added business constraint that I can't run the script itself with privileges. I have seen using 

echo "$pwd" | sudo <my command>

Is this the best way? Sometimes I get a line back that says bash: line 1: <my pwd redacted>: command not found, I imagine it's when linux doesn't actually prompt for the pwd. I've seen some people mention modifying the /etc/sudoers file but apparently changes to that file don't take effect until logging out.

  • You might decide to configure permanently `/etc/sudoers` to enable `sudo` without any password. This might be considered as a security weakness. – Basile Starynkevitch Jun 13 '17 at 22:15
  • @BasileStarynkevitch I've thought about this, but I'd like to keep everything contained within the script for portability reasons, if possible –  Jun 13 '17 at 22:16
  • Then you should use something else than `sudo`. Perhaps writing your own [setuid](https://en.wikipedia.org/wiki/Setuid) executable in C, or use `super` – Basile Starynkevitch Jun 13 '17 at 22:18
  • You can also setup ONE user to have root privileges but not require a password. A bit like the default 'vagrant' user in the virtual machine of the same name. – George M Reinstate Monica Jun 13 '17 at 22:27
  • 1
    I believe you need to use `sudo -S` when you use the `echo` method. `sudo -S` will read the password from `stdin`. Also see [Use sudo with password as parameter](https://stackoverflow.com/q/11955298/608639). – jww Jun 14 '17 at 00:01

2 Answers2

2

What's the best way to run sudo from a bash script without being able to run the script as privileged?

I think the best way is to prompt the user for the password, and apply sudo when its needed within the script. For example, below is from build-git.sh and build-ssh.sh. The scripts only use the password with sudo during the make install step. (The scripts are used on old OSes, like CentOS 5, which do not offer modern tools).

echo
echo "If you enter a sudo password, then it will be used for installation."
echo "If you don't enter a password, then ensure INSTALL_PREFIX is writable."
echo "To avoid sudo and the password, just press ENTER and they won't be used."
read -s -p "Please enter password for sudo: " SUDO_PASSWWORD
echo
...

# Configure and make without privileges
...

MAKE_FLAGS=(install)
if [[ ! (-z "$SUDO_PASSWWORD") ]]; then
    echo "$SUDO_PASSWWORD" | sudo -S "$MAKE" "${MAKE_FLAGS[@]}"
else
    "$MAKE" "${MAKE_FLAGS[@]}"
fi

Its probably worth mentioning that I needed to (1) configure and build without privileges, and (2) install with privileges. Making the password optional like in the script served my needs, so its was deemed "best" because it met my requirements and worked with the least amount of effort. Your "best" may vary depending on your requirements.

If you do use the echo method, then consider disabling or clearing Bash history to avoid logging the password. You can even temporarily disable history if you want to get fancy. The machines I run the scripts on have their history disabled, so its not a concern for me.

jww
  • 97,681
  • 90
  • 411
  • 885
1

Consider installing then using the super command, or write with great care (to avoid security holes) your own setuid executable in C and build it appropriately (using chmod u+s on the ELF executable). Notice that scripts cannot be setuid. See execve(2)

Basile Starynkevitch
  • 223,805
  • 18
  • 296
  • 547
  • 1
    Here is an example of what Basile is advising: [Can I make a script always execute as root?](https://superuser.com/a/440403/173513) – jww Jun 14 '17 at 00:07