2

Background

I have a long bash script which setup a large environment of interconnected software, taking several hours to complete. A few of the tasks it performs need to be run as root, for which I use sudo .... The whole process is then paused until the user notices and types in the root password. I seek some way for the user to type in the root password only at the beginning of the script, and then automatically supply it when required by sudo later.

My thoughts on possible (bad) solutions

I could store the password directly in a variable and then supply it using 

echo "${root_password}" | sudo -S ...

but something tells me that this is bad practice.

Another workaround would be to force the user to run the entire script as root, but wouldn't that lead to different permissions for all of the files generated without the use of sudo?

jww
  • 97,681
  • 90
  • 411
  • 885
jmd_dk
  • 12,125
  • 9
  • 63
  • 94
  • 1
    You can use `sudo` inside the script as well to switch *back* to the original user for the commands that, for example, should create a non-root owned file. You are correct that storing the root password is a bad idea. Another possibility is to configure `sudo` to allow the user to run your script (or just the commands inside your script that require root permissions) *without* a password. A lot of this just requires careful thought about how the script is designed. – chepner Mar 30 '18 at 14:58
  • 1
    For example, can you isolate all the commands (and only those commands) that require root to a separate subscript, then run that with `sudo`? – chepner Mar 30 '18 at 15:01
  • @chepner Sounds good. How do I use `sudo` to change back to the user from the root? – jmd_dk Mar 30 '18 at 15:03
  • The simple answer is `sudo -u ...` inside the script. However, I thought there was a way to get the original user's identity from inside the script, and that assumption appears to be mistaken. The only answer I could give right now is to invoke the script using something like `sudo script "$USER" ...`, so that the script has the identity of the user it should downgrade as an argument. – chepner Mar 30 '18 at 17:12
  • @chepner If nothing else, I can make the script call itself with the `sudo script $USER` signature, if called without arguments. The real problem is that I not have to prepend `sudo -u ` to *every* command (except the few that requires root privileges)! I have tried placing a bunch of commands in a subshell or a function, but then `sudo` won't accept it... – jmd_dk Mar 30 '18 at 17:22
  • Another option is to let all the files be created for root, but then `chmod`/`chown` them to the correct user as necessary. That might be simpler than trying to run the commands under the correct user name. – chepner Mar 30 '18 at 17:26
  • Also see [Prompt for sudo password and programmatically elevate privilege in bash script?](https://unix.stackexchange.com/q/28791/56041), [How to enter password only once in a bash script needing sudo](https://askubuntu.com/q/711580), [Request root privilege from within a script](https://askubuntu.com/q/746350),[Create a sudo user in script with no prompt for password...](https://stackoverflow.com/q/43853533/608639), [sudo with password in one command line?](https://superuser.com/a/67766/173513), [How to prompt user for sudo password?](https://stackoverflow.com/q/47538572/608639), etc – jww Mar 30 '18 at 17:53

2 Answers2

1

You can prompt it at the start of your script, so it is not plain text hard saved.

Example:

#!/bin/bash
read -s -p "[sudo] sudo password for $(whoami): " pass
echo $pass | sudo -S apt-get update

help read:

-r do not allow backslashes to escape any characters

-s do not echo input coming from a terminal

Community
  • 1
  • 1
rowan
  • 431
  • 3
  • 5
  • Indeed this is what I have right now. I'm unsure of whether the content of `$pass` can somehow be extracted by other users on the machine, or by looking through the bash history later, or whatnot. – jmd_dk Mar 30 '18 at 20:32
  • you can always have a `NOPASSWD` within sudoers.d on this specific script, so the user will not be asked to provide their password since it is automatically accepted? – rowan Mar 30 '18 at 20:45
1

I suggest you figure out all of the commands you need the script to run using SUDO, ensure the script is run by a special unprivileged user (e.g. scriptuser), and then edit /etc/sudoers to permit scriptuser to run those commands with NOPASSWD

As an example:

scriptuser ALL = NOPASSWD: /bin/kill, /usr/bin/othercommand, etc.

If you know the complete commands, including arguments, that's ideal (it means that an attacker that compromises the scriptuser account can only run those specific commands as root)

Sudo has a lot of options configurable in /etc/sudoers. If you man sudoers , you should see all of them. Forewarning: This man page is very hard to understand. Find examples. Test them. Ask on StackExchange.

Slartibartfast
  • 1,694
  • 9
  • 8