John E Hein at work jhein at
Mon Jun 11 20:42:51 EDT 2001

I have the need to be able to run a script that takes a long time that
 only needs sudo privs at a few strategic points in the script.

I would like to be able to enter my password at the beginning of the run,
 but not run as su until a sudo is actually executed.  In essence something
 could securely store the sudo credential until needed.

When the script exits, it effectively does a sudo -k.

For those familiar with ssh, this is like ssh-agent / ssh-add.

Here's an example using ssh:

$ ssh-agent /bin/sh                # sets some env, spawns a new shell
$ ssh-add
 # asks for passphrase here
$ ssh remote_host ps               # don't need to type passphrase again here
$ scp remote_host:/tmp/foo /tmp    # nor here
$ ls /tmp/foo
$ scp remote_host:/tmp/bar /tmp    # nor here
$ exit
$ scp remote_host:/tmp/baz /tmp    # but here it asks for passphrase again

and an example using the figment of my imagination, sudo-agent:

$ cat myscript
make part1               # as regular user... big project... takes a long time
sudo make part1-install  # needs root
make part2               # as regular user again... depends on part1 being
                         #   fully built and installed
sudo make part2-install  # needs root
make part3               # as regular user again... depends on part2
sudo make part3-install  # needs root
$ sudo-agent myscript
 # asks for password here due to sudo-add command, but never again
 # when it gets to the first sudo, it uses the first password credential
 #  stored from the ssh-add command... and runs 'make part1-install' as root
 # likewise for 'sudo make part2-install'... etc.

 # when the script ends, so do all traces of the sudo credential

Anyone ever done something like that?  This avoids the problem with
 sudo timing out and exiting after a few minutes if I don't get back to type the password at the
 right time.  And it allows me to just type in the password once and not have to come back and type it in each time I need sudo privs in the script.

Right now, our workaround is to call sudo-wrapper:

# Avoid sudo timeouts in long-running, multi-part makefiles
while :
    sudo -v
    if [ $? -eq 1 ]
    sudo $*
exit $?

But this still requires me to return to the script each time sudo needs
 to be updated with a fresh password.  If my script takes 15 hours to run
 and needs sudo privs a dozen times, this gets to be tedious.  For a build
 as complex as this one, I don't want to run the whole thing as root.

More information about the sudo-users mailing list