Ubuntu – Best practices on using sudo in a bash script

bashsusudo

I have a long and long-running bash script where a handful of commands need to be run as root while the majority of commands need to be run as the regular user before sudo, because it would mess up file ownership and such.

I came up with some methods, but each of them have some problems

Method 1: Using sudo inside the file

#!/bin/bash
sudo echo "I must be run by root"
touch needsToBeOwnedByUser1
echo "needs to be run by user"
sleep 1000
sudo echo "I, again, must be run by root"

This would look good, from the way the code is written. sudo is written before the few statements that actually need to be run by root, but if the time between each sudo call is too long sudo again asks for a password. Also, if the first execution of sudo fails, e.g. due to an invalid password, the rest of the script is still executed.

Method 2: using sudo to call the file and then change back to the original user when needed

#!/bin/bash
echo "I must be run by root"
su username -c 'touch needsToBeOwnedByUser1'
su username -c 'echo "needs to be run by user"'
su username -c 'sleep 1000'
echo "I, again, must be run by root"

This also sucks, because I need to add su username -c in front of almost every line. Also finding the original username after sudo is possible, but cumbersome.

Is there a better way?

Edit: I only posted small, nonsensical scripts here to show what I am talking about. In the actual script I have some lines that need sudo (starting and stopping services), some lines where it does not matter if there is sudo and quite a lot of lines that really need to be run without sudo.

Best Answer

Regarding method 2, it's easier to use a function. For example:

#!/bin/bash

func(){
    echo "Username: $USER"
    echo "    EUID: $EUID"
}

export -f func

func
su "$SUDO_USER" -c 'func'

$SUDO_USER is the sudoer's username. You could also use $(logname) in its place.

Running on my machine:

$ sudo bash test.sh
[sudo] password for wja: 
Username: root
    EUID: 0
Username: wja
    EUID: 1000

Related Solutions

Ubuntu – Adding root privileges to a bash script

The best solution would be use visudo (this tool was made for that and will avoid the exposition of root password), I suggest you to dig what are going wrong with that.

As a workaround, you can run this:

echo <password> | sudo -S some-script

(start the command with a space so it won't be saved in bash history).

Regards.

Ubuntu – Proper way to let user enter password for a bash script using only the GUI (with the terminal hidden)

The -A sudo option allows you to specify a helper program (in the SUDO_ASKPASS variable) that will ask for the password.

Create a script to ask the password (myaskpass.sh):

#!/bin/bash
zenity --password --title=Authentication

Then insert this line at the beginning of your script:

export SUDO_ASKPASS="/path/to/myaskpass.sh"

and replace all occurences of sudo <command> with:

sudo -A <command>

You can use whatever password asking program you want instead of zenity. I had to encapsulate it within a script because SUDO_ASKPASS must point to a file, so it won't work with the --password option required by zenity.

The above works like a charm if it runs from command line or if you choose Run in terminal after double click the script file in the file manager, but if you choose Run or try to launch it from a .desktop file every sudo will ask for the for password again.

If you don't want a terminal window at all, you can store the password in a variable and pipe it to sudo -S. Maybe there's some security concerns, but I think it's pretty safe (read the comments on this answer).

Insert this line at the beginning of your script:

PASSWD="$(zenity --password --title=Authentication)\n"

and replace all occurences of sudo <command> with:

echo -e $PASSWD | sudo -S <command>

Best Answer

Related Solutions

Ubuntu – Adding root privileges to a bash script

Ubuntu – Proper way to let user enter password for a bash script using only the GUI (with the terminal hidden)

Related Question