I run a small group of macOS machines for students (say 20) and they all need to be setup with things like homebrew and other packages and applications. I'm writing a bash script to automatically install all the things needed on each computer. Some of the commands I'll be using require being run as root, but not most of them.
I was wondering if it would be better to individually sudo each of these commands in the script, or leave sudo out of the script and sudo the entire script. I'd like to know which one will be safer (security wise), and better for my situation. I'd rather not be prompted for a password throughout the script, but I also dont want to run every line in the script as root, as it's unsafe.
Best Answer
Following the principle of least privilege, run as little as you can as root. Therefore, sudo from within the script.
Note that the first time there is a command that needs sudo, you may be prompted. (That won't be true if you applicably use NOPASSWD in /etc/sudoers which is a technique that many people will shun as also being insecure.) However, when you run sudo and provide a password, sudo will remember the success for a period of time. By default that period of time is five minutes. So if you ran "sudo echo hi", typed in your password, and then ran the script soon after that, then there would be no need for you to be prompted for a password when you run the script. More realistically, if you just run the script, you will likely just be asked to sudo once... presuming that you script takes less than give minutes to complete the remaining tasks.
I might not worry about a few
echocommands, but if there is significant content that can be done without extra permissions, then, for the sake of security, I generally like to maximize how much is done with minimal elevation.As an example of minimizing permissions, let me show you another sample scenario. Instead of:
sudo -c "sample-command >> /var/log/output.txt"I like to use:
sample-command | sudo tee -a /var/log/output.txt >> /dev/nullBy doing this, the entire command runs without sudo, and the only part that ends up having enhanced permissions is the part that needs enhanced permissions, which is the part that writes to the file.
Clearly, my goal here is to minimize how much is done elevated. Similarly, if your entire script doesn't require elevation, the preferred approach (from a security perspective) is to minimize how much is done elevated.