Ubuntu – How to run a graphical sudo in bash on kubuntu 18.04 now that kdesudo is gone

bashcommand lineguikubuntusudo

TL;DR: What's the new right way to do a graphical sudo from a shell script?

Flailing:

I just upgraded from kubuntu 16.04 to 18.04 and I'm doing the normal triage.

kdesudo is gone in 18.04 (unmaintained).

I use it a lot in bash scripts with GUI i/o.

Some post said use kdesu – which seems weird.
I seem to recall that it messes with the effective user or something like that.

That's not installed in my PATH.

I found it at

bigbird@sananda:~/pq$ ls -l /etc/alternatives/kdesu
rwxrwxrwx 1 root root 41 Aug 19 03:23 /etc/alternatives/kdesu -> 
/usr/lib/kde4/libexec/kdesu-distrib/kdesu

which still says kde4.

I tried sudo -A ls

and it said

bigbird@sananda:~$ sudo -A ls
sudo: no askpass program specified, try setting SUDO_ASKPASS

I went in a few circles looking at ksshaskpass and ssh-askpass, but both say they're not intended to be called directly.

I am not doing anything with ssh.

I need this for bash scripts that do almost everything as a normal user and then run one or two commands as root. These scripts are often launched from desktop icons where there is no terminal window open (and I don't need or want one.) They often use yad (like zenity or kdialog) to interface with the user.

Best Answer

As you have discovered, you can use the -A option with sudo, but you need a gui method of supplying the password to sudo.

You can write such a tool anyway you want, as long as it passes the password back to sudo on stdout. I use a simple solution which someone suggested to me a very long time ago, that uses kdialog, and like all simple solutions, it has remained my go to ever since.

So create yourself a simple kdialog script, such as this

    #!/bin/bash
    kdialog --password "Password required to proceed"

Now you use this with sudo like this

    #!/bin/bash
    export SUDO_ASKPASS=<path to your kdialog script>
    sudo -A foo

You can of course use any language you want to for your gui password provider if you don't have kde

EDIT: Solution to bypassing sudo passwd_tries

So that you can just ask for the password once only (as you want to do), you can capture the password in a variable within the script and pass that variable directly to the sudo command using the -S switch.

This has the advantage that it ignores the sudo passwd_tries rule, and still requires the interactive password input, so the password is not stored within the script.

PASSWD=$(kdialog --password "sudo password required")
echo $PASSWD | sudo -S foo

You can also do it directly on a line, if you do not need multiple sudo commands in the script, like this

echo $(kdialog --password "sudo password required") | sudo -S foo

And of course you can use your own kdialog script that we discussed earlier in place of using kdialog here, if you want a standard kdialog prompt in all your scripts.

The problem bypassing sudo's passwd_tries, from my POV, is that if you get the password wrong, your script will continue processing any commands after the sudo command, so if the sudo elevated command was critical to the script's success then you have problems.

The caveat is that the password from kdialog (or alternative such as zenity) is written on stdout, something I should have mentioned before, so anyone that has captured the PID's stdout would see your password. But then any hacker on your system would be doing a lot more than just that.

Related Question