Bash – If I sudo execute a Bash script file, will all commands inside the Bash script be executed as sudo as well

bashshellshell-scriptsudo

I want to write an automated post-installation script in Bash (called post-install.sh, for instance). The script will automatically add and update repositories, install and update packages, edit config files, etc.

Now, if I execute this script, for instance with sudo post-install.sh, will I only be prompted for a sudo password once, or will I need to enter the sudo password on each invocation of a command inside the script, that needs sudo permission? In other words, do the commands inside the bash script 'inherit' the execution permissions, so to speak?

And, if they indeed do, is there still a possibility that the sudo permissions will time out (if, for instance, a particular command takes long enough to exceed the sudo timeout)? Or will the initial sudo password entrance last for the complete duration of whole script?

Best Answer

Q#1: Will I only be prompted for a sudo password once, or will I need to enter the sudo password on each invocation of a command inside the script, that needs sudo permission?

Yes, once, for the duration of the running of your script.

NOTE: When you provide credentials to sudo, the authentication is typically good for 5 minutes within the shell where you typed the password. Additionally any child processes that get executed from this shell, or any script that runs in the shell (your case) will also run at the elevated level.

Q#2: is there still a possibility that the sudo permissions will time out (if, for instance, a particular command takes long enough to exceed the sudo timeout)? Or will the initial sudo password entrance last for the complete duration of whole script?

No they will not timeout within the script. Only if you interactively were typing them within the shell where the credentials were provided. Every time sudo is executed within this shell, the timeout is reset. But in your case they credentials will remain so long as the script is executing and running commands from within it.

excerpt from sudo man page

This limit is policy-specific; the default password prompt timeout for the sudoers security policy is 5 minutes.

Related Solutions

Sudo – How to Force Sudo to Prompt for a Password

sudo -k Will kill the timeout timestamp. You can even put the command afterwards, like sudo -k test_my_privileges.sh

From man sudo:

-K The -K (sure kill) option is like -k except that it removes the user's time stamp entirely and may not be used in conjunction with a command or other option. This option does not require a password.

-k When used by itself, the -k (kill) option to sudo invalidates the user's time stamp by setting the time on it to the Epoch. The next time sudo is run a password will be required. This option does not require a password and was added to allow a user to revoke sudo permissions from a .logout file.

You can also change it permanently. From man sudoers:

timestamp_timeout

Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

I add this to my bash script:

# ask for password up-front.
sudo -v
# Keep-alive: update existing sudo time stamp if set, otherwise do nothing.
while true; do sudo -n true; sleep 60; kill -0 "$$" || exit; done 2>/dev/null &

Found it here:

https://serverfault.com/questions/266039/temporarlly-increasing-sudos-timeout-for-the-duration-of-an-install-script

https://gist.github.com/cowboy/3118588

I use another script to launch my main script and I use a .desktop file to launch that helper script. It's not very straightforward, but it can be made to work 100% GUI. I'm still looking for the perfect solution, but this is doing the trick for now.

Best Answer

Related Solutions

Sudo – How to Force Sudo to Prompt for a Password

Bash – Graphically ask for password in a bash script and retain default sudo timeout setting

Related Question