sudo-agent

Alek O. Komarnitsky (N-CSC) alek at ast.lmco.com
Tue Jun 12 01:42:55 EDT 2001


> From: John E Hein at work <jhein at timing.com>
> Subject: sudo-agent
> To: sudo-users at courtesan.com
> 
> I have the need to be able to run a script that takes a long time that
>  only needs sudo privs at a few strategic points in the script.
> 
> I would like to be able to enter my password at the beginning of the run,
>  but not run as su until a sudo is actually executed.  In essence something
>  could securely store the sudo credential until needed.
> 
> ...
> 
> Anyone ever done something like that?  This avoids the problem with
>  sudo timing out and exiting after a few minutes if I don't get back to type the password at the
>  right time.  And it allows me to just type in the password once and not have to come back and type it in each time I need sudo privs in the script.
> 
> 
> Right now, our workaround is to call sudo-wrapper:
> 
> #!/bin/sh
> # Avoid sudo timeouts in long-running, multi-part makefiles
> while :
> do
>     sudo -v
>     if [ $? -eq 1 ]
>     then
>         continue
>     fi
>     sudo $*
>     break
> done
> exit $?
> 
> 
> But this still requires me to return to the script each time sudo needs
>  to be updated with a fresh password.  If my script takes 15 hours to run
>  and needs sudo privs a dozen times, this gets to be tedious.  For a build
>  as complex as this one, I don't want to run the whole thing as root.


My submittal for the hack job of the month would be:
   sudo -v                       # so you get his interactively for password
   $lockfile = /tmp/keep-my-sudo # More appropriate name/location could be used
   touch $lockfile
   run-sudo-keeper $lockfile &   # See script below - put in background!
   run various shell commands that you want done
   rm $lockfile                  # Remove this sorry excuse for a lockfile

And run-sudo-keeper (which is fired up in the background)
   $lockfile = $1
   while ( -e $lockfile ) {
      sleep 240                  # 4 minutes
      sudo -v                    # refresh the timestamp
      also-exit-loop-if-"parent"-process above dies
   } 

That's the basic idea - some appropriate error checking/corner cases
would have to be covered ... not elegant ... but should work and some
random thoughts at close to Midnight on a warm Colorado evening!   ;-)

alek



More information about the sudo-users mailing list