sudo-agent
John E Hein at work
jhein at timing.com
Mon Jun 11 20:42:51 EDT 2001
I have the need to be able to run a script that takes a long time that
only needs sudo privs at a few strategic points in the script.
I would like to be able to enter my password at the beginning of the run,
but not run as su until a sudo is actually executed. In essence something
could securely store the sudo credential until needed.
When the script exits, it effectively does a sudo -k.
For those familiar with ssh, this is like ssh-agent / ssh-add.
Here's an example using ssh:
$ ssh-agent /bin/sh # sets some env, spawns a new shell
$ ssh-add
# asks for passphrase here
$ ssh remote_host ps # don't need to type passphrase again here
$ scp remote_host:/tmp/foo /tmp # nor here
$ ls /tmp/foo
$ scp remote_host:/tmp/bar /tmp # nor here
$ exit
$ scp remote_host:/tmp/baz /tmp # but here it asks for passphrase again
and an example using the figment of my imagination, sudo-agent:
$ cat myscript
#!/bin/sh
sudo-add
make part1 # as regular user... big project... takes a long time
sudo make part1-install # needs root
make part2 # as regular user again... depends on part1 being
# fully built and installed
sudo make part2-install # needs root
make part3 # as regular user again... depends on part2
sudo make part3-install # needs root
$ sudo-agent myscript
# asks for password here due to sudo-add command, but never again
#
# when it gets to the first sudo, it uses the first password credential
# stored from the ssh-add command... and runs 'make part1-install' as root
#
# likewise for 'sudo make part2-install'... etc.
# when the script ends, so do all traces of the sudo credential
Anyone ever done something like that? This avoids the problem with
sudo timing out and exiting after a few minutes if I don't get back to type the password at the
right time. And it allows me to just type in the password once and not have to come back and type it in each time I need sudo privs in the script.
Right now, our workaround is to call sudo-wrapper:
#!/bin/sh
# Avoid sudo timeouts in long-running, multi-part makefiles
while :
do
sudo -v
if [ $? -eq 1 ]
then
continue
fi
sudo $*
break
done
exit $?
But this still requires me to return to the script each time sudo needs
to be updated with a fresh password. If my script takes 15 hours to run
and needs sudo privs a dozen times, this gets to be tedious. For a build
as complex as this one, I don't want to run the whole thing as root.
More information about the sudo-users
mailing list