Security Bash Scripts – Why SUDO Password is Being Bypassed

bashscriptsSecuritysudo

I have a bash script I am using to automate a SVN checkout. The contents of the file were:

#!/bin/bash
cd /var/www-cake
sudo svn checkout file:///usr/local/svn/bash_repo/repo/

Then when I double click the file it would ask me what to do, I would click the button "Run In Terminal" and then a terminal would pop up and ask me for the SUDO password. I would enter it, the script would execute and the terminal would close.

I wanted to give some sort of indication that the script ran successfully so I edited my file to look like:

#!/bin/bash
cd /var/www-cake
sudo svn checkout file:///usr/local/svn/bash_repo/repo/
echo "Head revision has been pushed to live server"

I expected the terminal to now stay open and tell me the message afterwards. To my surprise it now opens and immediately closes. The script does execute and I no longer have to put in the SUDO password.

Is this right? I do not understand why this is happening, seems like a security issue.

Best Answer

sudo remembers your password for some time (15 minutes by default). You can make sudo to forget the password by running sudo -k

Related Solutions

Command Line Sudo Root – How to Execute Sudo Without Password

You can configure sudo to never ask for your password.

Open a Terminal window and type:

sudo visudo

In the bottom of the file, add the following line:

$USER ALL=(ALL) NOPASSWD: ALL

Where $USER is your username on your system. Save and close the sudoers file (if you haven't changed your default terminal editor (you'll know if you have), press Ctl + x to exit nano and it'll prompt you to save).

As of Ubuntu 19.04, the file should now look something like

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

YOUR_USERNAME_HERE ALL=(ALL) NOPASSWD: ALL

After this you can type sudo <whatever you want> in a Terminal window without being prompted for the password.

This only applies, to using the sudo command in the terminal. You'll still be prompted for your password if you (for example) try to install a package from the software center

gui password prompt

Ubuntu – How to check if sudo password has been entered for this terminal session

You can use:

if sudo -n true 2>/dev/null; then 
    echo "I got sudo"
else
    echo "I don't have sudo"
fi

The -n (non-interactive) option prevents sudo from prompting the user for a password. If a password is required for the command to run, sudo will display an error message (redirected to /dev/null) and exit. If the password is not required, then this expression is true: sudo -n true 2>/dev/null.

Best Answer

Related Solutions

Command Line Sudo Root – How to Execute Sudo Without Password

Ubuntu – How to check if sudo password has been entered for this terminal session

Related Question