Use sudo without password INSIDE a script

linux bash shell sudo
111,740

Solution 1

From my blog: IDMRockstar.com:

The kicker is that sometimes, I need to run commands as root. Here's the quick and dirty way I accomplish that without divulging the passwords:

#! /bin/bash
read -s -p "Enter Password for sudo: " sudoPW
echo $sudoPW | sudo -S yum update

This way the user is prompted for the password (and hidden from terminal) and then passed into commands as needed, so I'm not running the entire script as root =)

If you have a better, way, I'd love to hear it! I'm not a shell scripting expert by any means.

Cheers!

.: Adam

Solution 2

If you want to run sudo /usr/bin/apt-get update without a password, you need to have the sudoers entry:

user ALL=(ALL:ALL) NOPASSWD:/usr/bin/apt-get update

For the larger issue of the script as a whole, there are two possible approaches:

Approach 1

For each command in the script that needs sudo, create a line in sudoers specifically for that command. In this case, the script can be called normally:

./script1.sh

Approach 2

Place a line in sudoers for the script as a whole. When this is done, the individual commands do not need sudo. However, sudo must be used to start the script as in:

sudo ./script.sh

Solution 3

If your password isn't something you want to be very secure about, (maybe some testing server in the company etc.) you can elevate to sudo in the script via echo like:

echo YourPasswordHere | sudo -S Command

The prompt still prints the "enter password" text to output though. So don't expect it to be neat.

See this Askubuntu post

Solution 4

As you noted, the file that must appear in the sudoers configuration is the one that is launched by sudo, and not the one that runs sudo.

That being said, what we often do, is having something like 

user ALL=(ALL:ALL) NOPASSWD:/path/to/script.sh

in the sudo configuration, where script.sh has all the commands that the script has to do.

Then we define either a Bash function or an alias so that script.sh is actually 

sudo /path/to/script.sh

The only issue is if some commands must not be run as root, you need to insert some su - user -c "command" commands in the script.

Solution 5

I suggest you look at the sudo environment variables - specifically you can use (and check for) $SUDO_USER. Call your script with sudo (1 entry in sudoers), then do user stuff as SUDO_USER and root stuff as root.

Share:
111,740

Related videos on Youtube

Nilexys
Author by

Nilexys

All ideas are welcomed, but please notice that it is in my philosophy to prefer high level solutions.

Updated on July 09, 2022

Comments

  • Nilexys
    Nilexys almost 2 years

    For some reason I need, as user, to run without sudo a script script.sh which needs root privileges to work.
    I saw as the only solution to put sudo INSIDE script.sh. Let's take an example :

    script.sh :

#!/bin/sh
sudo apt-get update

    Of course, if I execute this script, I get a prompt asking me for a password. Then I added to my sudoers file (at the end to override everything else) :

    user ALL=(ALL:ALL) NOPASSWD:/path/to/script.sh

    By the way, I also tried the line :

    user ALL=(ALL) NOPASSWD:/path/to/script.sh

    (I think I didn't fully understand the difference)

    But this doesn't solve my problem if I don't use sudo to execute this script :

    # ./script.sh
[sudo] password for user: 
# sudo ./script.sh
Starts updating...

    Well, so I say to myself "Ok, that means that if I have a file refered in sudoers as I did, it will work without prompt only if I call him with sudo, what is not what I want".
    So, ok, I create another script script2.sh as following :

    script2.sh

#!/bin/sh
sudo /path/to/script.sh

    In fact it works. But I am not truly satisfied of this solution, particularly by the fact that I have to use 2 scripts for every command.

    This post is then for helping people having this problem and searching for the same solution (I didn't find a good post on it), and perhaps have better solutions coming from you guys.

    Feel free to share your ideas !

    EDIT 1 :

    I want to insist on the fact that this "apt-get update" was just an example FAR from whhat my script actually is. My script has a lot of commands (with some cd to root-access-only config files), and the solution can't be "Well, just do it directly with apt-get".

    The principle of an example is to help the understanding, not to be excuse to simplify the answer of the general problem.

    • Barmar
      Barmar almost 10 years
      NOPASSWD:/path/to/script.sh means you can do sudo /path/to/script.sh without a password. It doesn't mean that the script can use sudo without a password.
    • hek2mgl
      hek2mgl almost 10 years
      @Barmar This could be an answer
    • Barmar
      Barmar almost 10 years
      @hek2mgl I noticed after that he already has something like this in the question.
  • Nilexys
    Nilexys almost 10 years
    apt-get was an example. In fact, my script has a lot of commands... I am not dumb enough to make a script doing exactly what apt-get does !
  • FreelanceConsultant
    FreelanceConsultant almost 8 years
    I added the line user ALL=(ALL:ALL) NOPASSWD:/path-to-script which seemed to work for sudo sshfs ... commands inside that script
  • Ingo Bürk
    Ingo Bürk over 7 years
    Instead of using a second root, you should just use visudo. That's what it's for. Also, this approach allows anyone to update the system without password.
  • Bob
    Bob about 7 years
    This answer is very similar to the one by Eaton Emmerich a year earlier, maybe the read -s -p part could be added to it as an alternative approach to storing the password in the file.
  • keith
    keith over 6 years
    Still prompts for password
  • Varus Septimus
    Varus Septimus over 6 years
    There are 2 distinct things at play here: (1) Command 'sudo usermod -aG sudo username' gives sudo privileges to user username. (2) However, it does not, by itself give sudo passwordless privileges to that user. For that to happen, the following line must be present in the /etc/sudoers file: '%sudo ALL=(ALL:ALL) ALL' (this line gives passwordless privileges at group level). This was the presupposition of my post. I hope this clarifies.
  • keith
    keith over 6 years
    Thanks for the clarification. If you can update your answer, it will unlock my downvote so I can turn it into an upvote :-)
  • Russ Bateman
    Russ Bateman over 5 years
    Note that the -s option to read isn't supported in Bourne, but bash only, so don't confuse yourself by prefixing your script with the wrong shebang.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

sudo to run command as different user
How to provide password directly to the sudo su -<someuser> in shell scripting
Detach a daemon using sudo?
Permission denied when trying to append a file to a root owned file with sudo
Execute a shell script in current shell with sudo permission
How to get the pid of command running with sudo
Convert Bash Scripts To Shell
why is this simple FOR LOOP in my Linux bash not working?
linux mail adding content type headers not working
Rename multiple files in bash