How do I run a sudo command needing password input in the background?

14,461

Solution 1

Instead of running sudo in the background, tell sudo to run the command in the background. From man sudo:

-b, --background
     Run the given command in the background.  Note that it is not
     possible to use shell job control to manipulate background
     processes started by sudo.  Most interactive commands will
     fail to work properly in background mode.

For example:

sudo -b sleep 10

Another way would be to just use a shell to run the command:

sudo sh -c 'sleep 10 &'

Another option would to specify a graphical program for obtaining the password, and send sudo to the background anyway:

-A, --askpass
     Normally, if sudo requires a password, it will read it from
     the user's terminal.  If the -A (askpass) option is
     specified, a (possibly graphical) helper program is executed
     to read the user's password and output the password to the
     standard output.  If the SUDO_ASKPASS environment variable is
     set, it specifies the path to the helper program.  Otherwise,
     if sudo.conf(5) contains a line specifying the askpass
     program, that value will be used.  For example:

         # Path to askpass helper program
         Path askpass /usr/X11R6/bin/ssh-askpass

     If no askpass program is available, sudo will exit with an
     error.

Askpass programs are typically used for SSH. One such is provided by the ssh-askpass-gnome package, which is installed by default, at least on Ubuntu 15.10.

SUDO_ASKPASS=/usr/bin/ssh-askpass sudo -A sleep 10 &

Solution 2

If you're willing to set timestamp_timeout to at least something like 0.02 (1.2 seconds, I'd say just as safe as 0) in /etc/sudoers (needed in your case, but with the default settings or with timestamp_timeout set to anything but 0 one may just do the following), you could set an alias like this one in ~/.bashrc, which won't require you to remember to do something before running the command and which will allow you to keep the control of the process.:

alias sudo='sudo -v; [ $? ] && sudo'

The trick here is the semicolon, which will make Bash parse sudo -v first and separately, authenticating the user, and limit the potential backgrounding part to the [ $? ] && sudo command, which will check if sudo -v was succesful and run sudo again (potentially backgrounding it) in case it was.

$ alias sudo='sudo -v; [ $? ] && sudo'
$ sudo -H gedit &
[sudo] password for user:
[1] 19966
$ jobs
[1]+  Running                 [ $? ] && sudo -H gedit &

Solution 3

You can't. The & sends the command to the background immediately. That is, a subshell is created in the background and the command is executed there. When that command issues a prompt, as is the case of sudo, the prompt is displayed in the background and you never see it.

The only way around that is to bring the command back to the foreground, provide the password and send it back to the background. For example:

$ sudo command &
$ fg
sudo command
[sudo] password for terdon: 

Now, enter your password, hit Enter and then hit CtrlZ to send it back to the background and bg to tell it to continue running.

A simpler approach would be to never use & and, instead, send jobs to the background manually with CtrlZ and bg after launching them.

Finally, you might want to consider setting sudo's password timeout to something like 1 or 2 seconds. That would still give you enough security (unless you're trying to guard against the Flash) and allow you to run commands like that as expected.

Share:
14,461

Related videos on Youtube

muru
Author by

muru

Updated on September 18, 2022

Comments

  • muru
    muru over 1 year

    I have recently disabled sudo's authentication caching ability so that it now prompts me for a password every time.

    And though this is good for security, it has caused one slight problem which I haven't been able to figure out a solution for, I am unable to run commands which go along the lines of:

    sudo <command> &
    

    In the past I would have run a sudo command before that, it would have cached my password and allowed me to run sudo commands without prompt for the next few minutes, and thus it would allow me to run the command.
    But when I run it now as there is no caching before hand and as it starts a new thread immediately and sudo doesn't even prompt me for a password, I am unable to run it in this way.

    So unless I run sudo -i before it I am unable to run a command in this format which is becoming rather annoying.
    So I was wondering if there is any way to get around this and still run programs and commands in this way?

    I am running Ubuntu GNOME 15.10 with GNOME 3.18, and specifically the program I want to run in this fashion is etherape if that makes any difference, but I would really like the solution to work for all programs and commands.

    • Admin
      Admin about 8 years
      @kossince & isn't really searchable, I'm changing that to … sudo command in the background.
    • Admin
      Admin about 8 years
      @muru If you can make popular search engines search for special characters instead. :P
    • Admin
      Admin about 8 years
  • muru
    muru about 8 years
    Does sudo -v extend credential caching even if caching is disabled? And, IIRC< for aliases to expand, the space should be at the end of the command, not at the beginning.
  • kos
    kos about 8 years
    @muru RIght I forgot he has timestamp_timeout set to 0. And yeah, I completely messed up with the alias expansion thing, actually the alias shouldn't expand. Thanks.
  • G-Man Says 'Reinstate Monica'
    G-Man Says 'Reinstate Monica' about 8 years
    Wouldn't alias sudo='sudo -v && sudo' be just as good?
  • kos
    kos about 8 years
    @G-Man No, this works because the ; makes Bash parse sudo -v first and separately; using && Bash would parse both as a single command and background both immediately.
  • Admin
    Admin about 8 years
    The Flash has been stealing my chocolate cake so... ;P
  • Damian Yerrick
    Damian Yerrick about 8 years
    In this era of Adobe vulnerabilities and malware that infects the firmware, being wary of the Flash is warranted.
  • terdon
    terdon about 8 years
  • kos
    kos about 8 years
    On a side note, is it actually possible to set the timeout to seconds? man sudoers says timestamp_timeout's value shall specify minutes with a possible fractional part (which by the way makes sudo error out if I try to specify one, not sure why).
  • terdon
    terdon about 8 years
    @kos ah, that's a very good point. I hadn't actually checked but, apparently, yes. I just tried setting it to 0.01 and on my Arch and it asks each time I run it.
  • kos
    kos about 8 years
    Then apparently my sudo version is bugged. I can't even set the timeout to 2.5, which would be man sudoers' suggestion, I get "sudo: value `2.5' is invalid for option `timestamp_timeout' " each time I run a command if I do, and it stops complaining only if I set it to an integer number.
  • terdon
    terdon about 8 years
    @kos sounds like it yes. 2.5 works fine here (Arch, sudo version 1.8.15).
  • matanster
    matanster almost 4 years
    For 18.04, you have to install ssh-askpass. Anyway, not sure how much using that option degrades the security surface of using sudo though.