sudo without sudo, implying sudo in script The 2019 Stack Overflow Developer Survey Results Are InBash Function DecoratorWhy is my script calling multiple functions?sudo in non-interactive scriptWhat's the best way to make a bash function in a script as a parameter when running via command line?Executing a Bash Script Function with SudoHow to pass parameters to function in a bash script?Correct way to call a Bash function from all sessionsHow shall I reuse a function in multiple scripts?shell script: use sudo inside it vs run it with sudo?Writing a script containing just one function definition v.s. moving the code in function body to the script?
How to manage monthly salary
aging parents with no investments
Output the Arecibo Message
What is a mixture ratio of propellant?
Is bread bad for ducks?
Limit the amount of RAM Mathematica may access?
What does "sndry explns" mean in one of the Hitchhiker's guide books?
Could JWST stay at L2 "forever"?
Access elements in std::string where positon of string is greater than its size
Why do UK politicians seemingly ignore opinion polls on Brexit?
How to make payment on the internet without leaving a money trail?
What is the use of option -o in the useradd command?
Why is it "Tumoren" and not "Tumore"?
What do hard-Brexiteers want with respect to the Irish border?
Can we apply L'Hospital's rule where the derivative is not continuous?
In microwave frequencies, do you use a circulator when you need a (near) perfect diode?
Deadlock Graph and Interpretation, solution to avoid
Confusion about non-derivable continuous functions
If a poisoned arrow's piercing damage is reduced to 0, do you still get poisoned?
Should I write numbers in words or as numerals when there are multiple next to each other?
Does a dangling wire really electrocute me if I'm standing in water?
Where does the "burst of radiance" from Holy Weapon originate?
Does light intensity oscillate really fast since it is a wave?
Why don't Unix/Linux systems traverse through directories until they find the required version of a linked library?
sudo without sudo, implying sudo in script
The 2019 Stack Overflow Developer Survey Results Are InBash Function DecoratorWhy is my script calling multiple functions?sudo in non-interactive scriptWhat's the best way to make a bash function in a script as a parameter when running via command line?Executing a Bash Script Function with SudoHow to pass parameters to function in a bash script?Correct way to call a Bash function from all sessionsHow shall I reuse a function in multiple scripts?shell script: use sudo inside it vs run it with sudo?Writing a script containing just one function definition v.s. moving the code in function body to the script?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I made some scripts containing some functions which by design needs sudo permission. I have added those path in .bashrc for Linux and .bash_profile for MacOS so that it can be called from anywhere.
But I do not want the user to type sudo each time they want to call those script functions. Is there any way I can imply sudo in a way that whenever these functions are called, terminal would assume its being called from root user?
I think I should just add sudo -i at the beginning of the script or maybe each function? Or is there any other alternative way of implying sudo? Also, would be great to know if you think it would be terrible or dangerous to imply sudo and if it is not recommended.
An example of dangerous-function script that contains some functions which, I am trying to accomplish without specifying sudo
#!/bin/bash
start-one()
## do dangerous stuff with sudo
systemctl start dangerous.service
start-two()
systemctl start dangerous1.service
start-launchwizard()
systemctl start dangerous2.service
## Calling functions one by one...
"$@"
I dont want to call them by sudo dangerous-function start-one
I just want to call them with dangerous-function start-one but still get the same result as the previous one.
bash shell sudo bashrc function
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
add a comment |
I made some scripts containing some functions which by design needs sudo permission. I have added those path in .bashrc for Linux and .bash_profile for MacOS so that it can be called from anywhere.
But I do not want the user to type sudo each time they want to call those script functions. Is there any way I can imply sudo in a way that whenever these functions are called, terminal would assume its being called from root user?
I think I should just add sudo -i at the beginning of the script or maybe each function? Or is there any other alternative way of implying sudo? Also, would be great to know if you think it would be terrible or dangerous to imply sudo and if it is not recommended.
An example of dangerous-function script that contains some functions which, I am trying to accomplish without specifying sudo
#!/bin/bash
start-one()
## do dangerous stuff with sudo
systemctl start dangerous.service
start-two()
systemctl start dangerous1.service
start-launchwizard()
systemctl start dangerous2.service
## Calling functions one by one...
"$@"
I dont want to call them by sudo dangerous-function start-one
I just want to call them with dangerous-function start-one but still get the same result as the previous one.
bash shell sudo bashrc function
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
Why can't you execute the script like$ sudo ./script.sh?
– 0xSheepdog
Apr 6 at 6:36
@0xSheepdog Thank you. I have updated the question. I dont know, just want to try I guess.
– Rakib Fiha
Apr 6 at 6:38
1
Why don't you just add sudo to the function?start_one() { sudo systemctl ...?
– glenn jackman
Apr 6 at 11:24
Sorry for late reply, because if I want to make a systemd service for my script, including sudo within the script becomes weird
– Rakib Fiha
2 days ago
add a comment |
I made some scripts containing some functions which by design needs sudo permission. I have added those path in .bashrc for Linux and .bash_profile for MacOS so that it can be called from anywhere.
But I do not want the user to type sudo each time they want to call those script functions. Is there any way I can imply sudo in a way that whenever these functions are called, terminal would assume its being called from root user?
I think I should just add sudo -i at the beginning of the script or maybe each function? Or is there any other alternative way of implying sudo? Also, would be great to know if you think it would be terrible or dangerous to imply sudo and if it is not recommended.
An example of dangerous-function script that contains some functions which, I am trying to accomplish without specifying sudo
#!/bin/bash
start-one()
## do dangerous stuff with sudo
systemctl start dangerous.service
start-two()
systemctl start dangerous1.service
start-launchwizard()
systemctl start dangerous2.service
## Calling functions one by one...
"$@"
I dont want to call them by sudo dangerous-function start-one
I just want to call them with dangerous-function start-one but still get the same result as the previous one.
bash shell sudo bashrc function
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
I made some scripts containing some functions which by design needs sudo permission. I have added those path in .bashrc for Linux and .bash_profile for MacOS so that it can be called from anywhere.
But I do not want the user to type sudo each time they want to call those script functions. Is there any way I can imply sudo in a way that whenever these functions are called, terminal would assume its being called from root user?
I think I should just add sudo -i at the beginning of the script or maybe each function? Or is there any other alternative way of implying sudo? Also, would be great to know if you think it would be terrible or dangerous to imply sudo and if it is not recommended.
An example of dangerous-function script that contains some functions which, I am trying to accomplish without specifying sudo
#!/bin/bash
start-one()
## do dangerous stuff with sudo
systemctl start dangerous.service
start-two()
systemctl start dangerous1.service
start-launchwizard()
systemctl start dangerous2.service
## Calling functions one by one...
"$@"
I dont want to call them by sudo dangerous-function start-one
I just want to call them with dangerous-function start-one but still get the same result as the previous one.
bash shell sudo bashrc function
bash shell sudo bashrc function
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
edited Apr 6 at 7:00
Rakib Fiha
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
asked Apr 6 at 6:29
Rakib FihaRakib Fiha
218
218
Why can't you execute the script like$ sudo ./script.sh?
– 0xSheepdog
Apr 6 at 6:36
@0xSheepdog Thank you. I have updated the question. I dont know, just want to try I guess.
– Rakib Fiha
Apr 6 at 6:38
1
Why don't you just add sudo to the function?start_one() { sudo systemctl ...?
– glenn jackman
Apr 6 at 11:24
Sorry for late reply, because if I want to make a systemd service for my script, including sudo within the script becomes weird
– Rakib Fiha
2 days ago
add a comment |
Why can't you execute the script like$ sudo ./script.sh?
– 0xSheepdog
Apr 6 at 6:36
@0xSheepdog Thank you. I have updated the question. I dont know, just want to try I guess.
– Rakib Fiha
Apr 6 at 6:38
1
Why don't you just add sudo to the function?start_one() { sudo systemctl ...?
– glenn jackman
Apr 6 at 11:24
Sorry for late reply, because if I want to make a systemd service for my script, including sudo within the script becomes weird
– Rakib Fiha
2 days ago
Why can't you execute the script like
$ sudo ./script.sh?– 0xSheepdog
Apr 6 at 6:36
Why can't you execute the script like
$ sudo ./script.sh?– 0xSheepdog
Apr 6 at 6:36
@0xSheepdog Thank you. I have updated the question. I dont know, just want to try I guess.
– Rakib Fiha
Apr 6 at 6:38
@0xSheepdog Thank you. I have updated the question. I dont know, just want to try I guess.
– Rakib Fiha
Apr 6 at 6:38
1
1
Why don't you just add sudo to the function?
start_one() { sudo systemctl ... ?– glenn jackman
Apr 6 at 11:24
Why don't you just add sudo to the function?
start_one() { sudo systemctl ... ?– glenn jackman
Apr 6 at 11:24
Sorry for late reply, because if I want to make a systemd service for my script, including sudo within the script becomes weird
– Rakib Fiha
2 days ago
Sorry for late reply, because if I want to make a systemd service for my script, including sudo within the script becomes weird
– Rakib Fiha
2 days ago
add a comment |
2 Answers
2
active
oldest
votes
The "$@" will expand to the list of command line arguments, individually quoted. This means that if you call your script with
./script.sh start-one
it will run start-one at that point (which is your function). It also means that invoking it as
./script.sh ls
it would run ls.
Allowing a user to invoke the script using sudo (or using sudo inside the script) would allow them to run any command as root, if they had sudo access. You do not want this.
Instead, you would need to carefully validate the command line arguments. Maybe something like
foo_func ()
# stuff
printf 'foo:t%sn' "$@"
bar_func ()
# stuff
printf 'bar:t%sn' "$@"
arg=$1
shift
case $arg in
foo)
foo_func "$@" ;;
bar)
bar_func "$@" ;;
*)
printf 'invalid sub-command: %sn' "$arg" >&2
exit 1
esac
Testing:
$ sh script.sh bar 1 2 3
bar: 1
bar: 2
bar: 3
$ sh script.sh baz
invalid sub-command: baz
This would be safer to use with sudo, but you would still not want to execute anything that the user gives you within your various functions directly without sanitising the input. The script above does this by restricting the user to a particular set of sub-commands, and each function that handles a sub-command does not execute, eval, or source its arguments.
Let me say that again with other words: The script does not, and should not, try to execute the user input as code in any way. It should not try to figure out whether an argument corresponds to a function in the current environment that it can execute (functions may have been put there by the calling environment) and it should not execute scripts whose pathnames were given on the command line etc.
If a script is performing administrative tasks, I would be expecting to have to run it with sudo, and I would not want the script itself to ask me for my password, especially not if it's a script that I may want to run non-interactively (e.g. from a cron job). That is, a script performing administrative tasks requiring root privileges should (IMHO) be able to assume it's running with the correct privileges from the start.
If you want to test this in the script, you could do so with
if [ "$( id -u )" -ne 0 ]; then
echo 'please run this script as root' >&2
exit 1
fi
It then moves the decision of how to run the script with root privileges to the user of the script.
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
Wow, this was explained so perfectly. I will implement this case statement to avoid inputting invalid commands. Also, I was feeling the same way as you about implying sudo, and giving prompt to user if run without sudo would be much better, but I think I will still try to imply sudo after I sanitize the input from user. :)
– Rakib Fiha
Apr 6 at 7:57
@RakibFiha Note that you can't easily usesudowith functions (if you need to do that). See e.g. Executing a Bash Script Function with Sudo
– Kusalananda♦
Apr 6 at 8:43
Thank you very much. Now I am trying to figure out how can I check if the parameter passed exists as a function from an array as Im trying to implement your case statement.
– Rakib Fiha
Apr 6 at 9:47
@RakibFiha Note that you don't need to do that as you can simple switch through the valid cases, and output an error when none matches. The point is that you don't use the string given to you by the user as something you can call. Instead you use that string to figure out if it's a sting that is valid. It's very much like testing the command line options (-h,-aetc.) to see whether a given option is valid or not.
– Kusalananda♦
Apr 6 at 9:51
the case statement is working like a charm now, but I wanted to make a hash table because now my number of functions are increasing and did not want to write case statement for every single function one by one. For some reason case statement is worked only for the first object of the array. Thank you again. Learnt alot from this.
– Rakib Fiha
2 days ago
add a comment |
You can add your script in /etc/sudoers (preferably using `visudo) so that it is accessible to the user.
user ALL= /path/to/script
Then the user will able to execute path/to/script without sudo.
answered Apr 6 at 7:12
user5325user5325
864
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Note that since the script simply executes"$@", this would allow the user to execute anything with root privileges, e.g.sudo /path/to/script reboot.
– Kusalananda♦
Apr 6 at 7:16
@Kusalananda wow, thank you for pointing that out. I thought $@ was only passing the functions within the script. How can I avoid that?
– Rakib Fiha
Apr 6 at 7:24
4
Adding a script tosudoersdoesn't make it magically run without needingsudo. It simply tells thesudocommand it's allowed to let the user run that script. You still need to invokesudo.
– roaima
Apr 6 at 7:42
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510855%2fsudo-without-sudo-implying-sudo-in-script%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The "$@" will expand to the list of command line arguments, individually quoted. This means that if you call your script with
./script.sh start-one
it will run start-one at that point (which is your function). It also means that invoking it as
./script.sh ls
it would run ls.
Allowing a user to invoke the script using sudo (or using sudo inside the script) would allow them to run any command as root, if they had sudo access. You do not want this.
Instead, you would need to carefully validate the command line arguments. Maybe something like
foo_func ()
# stuff
printf 'foo:t%sn' "$@"
bar_func ()
# stuff
printf 'bar:t%sn' "$@"
arg=$1
shift
case $arg in
foo)
foo_func "$@" ;;
bar)
bar_func "$@" ;;
*)
printf 'invalid sub-command: %sn' "$arg" >&2
exit 1
esac
Testing:
$ sh script.sh bar 1 2 3
bar: 1
bar: 2
bar: 3
$ sh script.sh baz
invalid sub-command: baz
This would be safer to use with sudo, but you would still not want to execute anything that the user gives you within your various functions directly without sanitising the input. The script above does this by restricting the user to a particular set of sub-commands, and each function that handles a sub-command does not execute, eval, or source its arguments.
Let me say that again with other words: The script does not, and should not, try to execute the user input as code in any way. It should not try to figure out whether an argument corresponds to a function in the current environment that it can execute (functions may have been put there by the calling environment) and it should not execute scripts whose pathnames were given on the command line etc.
If a script is performing administrative tasks, I would be expecting to have to run it with sudo, and I would not want the script itself to ask me for my password, especially not if it's a script that I may want to run non-interactively (e.g. from a cron job). That is, a script performing administrative tasks requiring root privileges should (IMHO) be able to assume it's running with the correct privileges from the start.
If you want to test this in the script, you could do so with
if [ "$( id -u )" -ne 0 ]; then
echo 'please run this script as root' >&2
exit 1
fi
It then moves the decision of how to run the script with root privileges to the user of the script.
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
Wow, this was explained so perfectly. I will implement this case statement to avoid inputting invalid commands. Also, I was feeling the same way as you about implying sudo, and giving prompt to user if run without sudo would be much better, but I think I will still try to imply sudo after I sanitize the input from user. :)
– Rakib Fiha
Apr 6 at 7:57
@RakibFiha Note that you can't easily usesudowith functions (if you need to do that). See e.g. Executing a Bash Script Function with Sudo
– Kusalananda♦
Apr 6 at 8:43
Thank you very much. Now I am trying to figure out how can I check if the parameter passed exists as a function from an array as Im trying to implement your case statement.
– Rakib Fiha
Apr 6 at 9:47
@RakibFiha Note that you don't need to do that as you can simple switch through the valid cases, and output an error when none matches. The point is that you don't use the string given to you by the user as something you can call. Instead you use that string to figure out if it's a sting that is valid. It's very much like testing the command line options (-h,-aetc.) to see whether a given option is valid or not.
– Kusalananda♦
Apr 6 at 9:51
the case statement is working like a charm now, but I wanted to make a hash table because now my number of functions are increasing and did not want to write case statement for every single function one by one. For some reason case statement is worked only for the first object of the array. Thank you again. Learnt alot from this.
– Rakib Fiha
2 days ago
add a comment |
The "$@" will expand to the list of command line arguments, individually quoted. This means that if you call your script with
./script.sh start-one
it will run start-one at that point (which is your function). It also means that invoking it as
./script.sh ls
it would run ls.
Allowing a user to invoke the script using sudo (or using sudo inside the script) would allow them to run any command as root, if they had sudo access. You do not want this.
Instead, you would need to carefully validate the command line arguments. Maybe something like
foo_func ()
# stuff
printf 'foo:t%sn' "$@"
bar_func ()
# stuff
printf 'bar:t%sn' "$@"
arg=$1
shift
case $arg in
foo)
foo_func "$@" ;;
bar)
bar_func "$@" ;;
*)
printf 'invalid sub-command: %sn' "$arg" >&2
exit 1
esac
Testing:
$ sh script.sh bar 1 2 3
bar: 1
bar: 2
bar: 3
$ sh script.sh baz
invalid sub-command: baz
This would be safer to use with sudo, but you would still not want to execute anything that the user gives you within your various functions directly without sanitising the input. The script above does this by restricting the user to a particular set of sub-commands, and each function that handles a sub-command does not execute, eval, or source its arguments.
Let me say that again with other words: The script does not, and should not, try to execute the user input as code in any way. It should not try to figure out whether an argument corresponds to a function in the current environment that it can execute (functions may have been put there by the calling environment) and it should not execute scripts whose pathnames were given on the command line etc.
If a script is performing administrative tasks, I would be expecting to have to run it with sudo, and I would not want the script itself to ask me for my password, especially not if it's a script that I may want to run non-interactively (e.g. from a cron job). That is, a script performing administrative tasks requiring root privileges should (IMHO) be able to assume it's running with the correct privileges from the start.
If you want to test this in the script, you could do so with
if [ "$( id -u )" -ne 0 ]; then
echo 'please run this script as root' >&2
exit 1
fi
It then moves the decision of how to run the script with root privileges to the user of the script.
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
Wow, this was explained so perfectly. I will implement this case statement to avoid inputting invalid commands. Also, I was feeling the same way as you about implying sudo, and giving prompt to user if run without sudo would be much better, but I think I will still try to imply sudo after I sanitize the input from user. :)
– Rakib Fiha
Apr 6 at 7:57
@RakibFiha Note that you can't easily usesudowith functions (if you need to do that). See e.g. Executing a Bash Script Function with Sudo
– Kusalananda♦
Apr 6 at 8:43
Thank you very much. Now I am trying to figure out how can I check if the parameter passed exists as a function from an array as Im trying to implement your case statement.
– Rakib Fiha
Apr 6 at 9:47
@RakibFiha Note that you don't need to do that as you can simple switch through the valid cases, and output an error when none matches. The point is that you don't use the string given to you by the user as something you can call. Instead you use that string to figure out if it's a sting that is valid. It's very much like testing the command line options (-h,-aetc.) to see whether a given option is valid or not.
– Kusalananda♦
Apr 6 at 9:51
the case statement is working like a charm now, but I wanted to make a hash table because now my number of functions are increasing and did not want to write case statement for every single function one by one. For some reason case statement is worked only for the first object of the array. Thank you again. Learnt alot from this.
– Rakib Fiha
2 days ago
add a comment |
The "$@" will expand to the list of command line arguments, individually quoted. This means that if you call your script with
./script.sh start-one
it will run start-one at that point (which is your function). It also means that invoking it as
./script.sh ls
it would run ls.
Allowing a user to invoke the script using sudo (or using sudo inside the script) would allow them to run any command as root, if they had sudo access. You do not want this.
Instead, you would need to carefully validate the command line arguments. Maybe something like
foo_func ()
# stuff
printf 'foo:t%sn' "$@"
bar_func ()
# stuff
printf 'bar:t%sn' "$@"
arg=$1
shift
case $arg in
foo)
foo_func "$@" ;;
bar)
bar_func "$@" ;;
*)
printf 'invalid sub-command: %sn' "$arg" >&2
exit 1
esac
Testing:
$ sh script.sh bar 1 2 3
bar: 1
bar: 2
bar: 3
$ sh script.sh baz
invalid sub-command: baz
This would be safer to use with sudo, but you would still not want to execute anything that the user gives you within your various functions directly without sanitising the input. The script above does this by restricting the user to a particular set of sub-commands, and each function that handles a sub-command does not execute, eval, or source its arguments.
Let me say that again with other words: The script does not, and should not, try to execute the user input as code in any way. It should not try to figure out whether an argument corresponds to a function in the current environment that it can execute (functions may have been put there by the calling environment) and it should not execute scripts whose pathnames were given on the command line etc.
If a script is performing administrative tasks, I would be expecting to have to run it with sudo, and I would not want the script itself to ask me for my password, especially not if it's a script that I may want to run non-interactively (e.g. from a cron job). That is, a script performing administrative tasks requiring root privileges should (IMHO) be able to assume it's running with the correct privileges from the start.
If you want to test this in the script, you could do so with
if [ "$( id -u )" -ne 0 ]; then
echo 'please run this script as root' >&2
exit 1
fi
It then moves the decision of how to run the script with root privileges to the user of the script.
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
The "$@" will expand to the list of command line arguments, individually quoted. This means that if you call your script with
./script.sh start-one
it will run start-one at that point (which is your function). It also means that invoking it as
./script.sh ls
it would run ls.
Allowing a user to invoke the script using sudo (or using sudo inside the script) would allow them to run any command as root, if they had sudo access. You do not want this.
Instead, you would need to carefully validate the command line arguments. Maybe something like
foo_func ()
# stuff
printf 'foo:t%sn' "$@"
bar_func ()
# stuff
printf 'bar:t%sn' "$@"
arg=$1
shift
case $arg in
foo)
foo_func "$@" ;;
bar)
bar_func "$@" ;;
*)
printf 'invalid sub-command: %sn' "$arg" >&2
exit 1
esac
Testing:
$ sh script.sh bar 1 2 3
bar: 1
bar: 2
bar: 3
$ sh script.sh baz
invalid sub-command: baz
This would be safer to use with sudo, but you would still not want to execute anything that the user gives you within your various functions directly without sanitising the input. The script above does this by restricting the user to a particular set of sub-commands, and each function that handles a sub-command does not execute, eval, or source its arguments.
Let me say that again with other words: The script does not, and should not, try to execute the user input as code in any way. It should not try to figure out whether an argument corresponds to a function in the current environment that it can execute (functions may have been put there by the calling environment) and it should not execute scripts whose pathnames were given on the command line etc.
If a script is performing administrative tasks, I would be expecting to have to run it with sudo, and I would not want the script itself to ask me for my password, especially not if it's a script that I may want to run non-interactively (e.g. from a cron job). That is, a script performing administrative tasks requiring root privileges should (IMHO) be able to assume it's running with the correct privileges from the start.
If you want to test this in the script, you could do so with
if [ "$( id -u )" -ne 0 ]; then
echo 'please run this script as root' >&2
exit 1
fi
It then moves the decision of how to run the script with root privileges to the user of the script.
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
edited Apr 6 at 13:03
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
answered Apr 6 at 7:38
Kusalananda♦Kusalananda
140k17261436
140k17261436
Wow, this was explained so perfectly. I will implement this case statement to avoid inputting invalid commands. Also, I was feeling the same way as you about implying sudo, and giving prompt to user if run without sudo would be much better, but I think I will still try to imply sudo after I sanitize the input from user. :)
– Rakib Fiha
Apr 6 at 7:57
@RakibFiha Note that you can't easily usesudowith functions (if you need to do that). See e.g. Executing a Bash Script Function with Sudo
– Kusalananda♦
Apr 6 at 8:43
Thank you very much. Now I am trying to figure out how can I check if the parameter passed exists as a function from an array as Im trying to implement your case statement.
– Rakib Fiha
Apr 6 at 9:47
@RakibFiha Note that you don't need to do that as you can simple switch through the valid cases, and output an error when none matches. The point is that you don't use the string given to you by the user as something you can call. Instead you use that string to figure out if it's a sting that is valid. It's very much like testing the command line options (-h,-aetc.) to see whether a given option is valid or not.
– Kusalananda♦
Apr 6 at 9:51
the case statement is working like a charm now, but I wanted to make a hash table because now my number of functions are increasing and did not want to write case statement for every single function one by one. For some reason case statement is worked only for the first object of the array. Thank you again. Learnt alot from this.
– Rakib Fiha
2 days ago
add a comment |
Wow, this was explained so perfectly. I will implement this case statement to avoid inputting invalid commands. Also, I was feeling the same way as you about implying sudo, and giving prompt to user if run without sudo would be much better, but I think I will still try to imply sudo after I sanitize the input from user. :)
– Rakib Fiha
Apr 6 at 7:57
@RakibFiha Note that you can't easily usesudowith functions (if you need to do that). See e.g. Executing a Bash Script Function with Sudo
– Kusalananda♦
Apr 6 at 8:43
Thank you very much. Now I am trying to figure out how can I check if the parameter passed exists as a function from an array as Im trying to implement your case statement.
– Rakib Fiha
Apr 6 at 9:47
@RakibFiha Note that you don't need to do that as you can simple switch through the valid cases, and output an error when none matches. The point is that you don't use the string given to you by the user as something you can call. Instead you use that string to figure out if it's a sting that is valid. It's very much like testing the command line options (-h,-aetc.) to see whether a given option is valid or not.
– Kusalananda♦
Apr 6 at 9:51
the case statement is working like a charm now, but I wanted to make a hash table because now my number of functions are increasing and did not want to write case statement for every single function one by one. For some reason case statement is worked only for the first object of the array. Thank you again. Learnt alot from this.
– Rakib Fiha
2 days ago
Wow, this was explained so perfectly. I will implement this case statement to avoid inputting invalid commands. Also, I was feeling the same way as you about implying sudo, and giving prompt to user if run without sudo would be much better, but I think I will still try to imply sudo after I sanitize the input from user. :)
– Rakib Fiha
Apr 6 at 7:57
Wow, this was explained so perfectly. I will implement this case statement to avoid inputting invalid commands. Also, I was feeling the same way as you about implying sudo, and giving prompt to user if run without sudo would be much better, but I think I will still try to imply sudo after I sanitize the input from user. :)
– Rakib Fiha
Apr 6 at 7:57
@RakibFiha Note that you can't easily use
sudo with functions (if you need to do that). See e.g. Executing a Bash Script Function with Sudo– Kusalananda♦
Apr 6 at 8:43
@RakibFiha Note that you can't easily use
sudo with functions (if you need to do that). See e.g. Executing a Bash Script Function with Sudo– Kusalananda♦
Apr 6 at 8:43
Thank you very much. Now I am trying to figure out how can I check if the parameter passed exists as a function from an array as Im trying to implement your case statement.
– Rakib Fiha
Apr 6 at 9:47
Thank you very much. Now I am trying to figure out how can I check if the parameter passed exists as a function from an array as Im trying to implement your case statement.
– Rakib Fiha
Apr 6 at 9:47
@RakibFiha Note that you don't need to do that as you can simple switch through the valid cases, and output an error when none matches. The point is that you don't use the string given to you by the user as something you can call. Instead you use that string to figure out if it's a sting that is valid. It's very much like testing the command line options (
-h, -a etc.) to see whether a given option is valid or not.– Kusalananda♦
Apr 6 at 9:51
@RakibFiha Note that you don't need to do that as you can simple switch through the valid cases, and output an error when none matches. The point is that you don't use the string given to you by the user as something you can call. Instead you use that string to figure out if it's a sting that is valid. It's very much like testing the command line options (
-h, -a etc.) to see whether a given option is valid or not.– Kusalananda♦
Apr 6 at 9:51
the case statement is working like a charm now, but I wanted to make a hash table because now my number of functions are increasing and did not want to write case statement for every single function one by one. For some reason case statement is worked only for the first object of the array. Thank you again. Learnt alot from this.
– Rakib Fiha
2 days ago
the case statement is working like a charm now, but I wanted to make a hash table because now my number of functions are increasing and did not want to write case statement for every single function one by one. For some reason case statement is worked only for the first object of the array. Thank you again. Learnt alot from this.
– Rakib Fiha
2 days ago
add a comment |
You can add your script in /etc/sudoers (preferably using `visudo) so that it is accessible to the user.
user ALL= /path/to/script
Then the user will able to execute path/to/script without sudo.
answered Apr 6 at 7:12
user5325user5325
864
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Note that since the script simply executes"$@", this would allow the user to execute anything with root privileges, e.g.sudo /path/to/script reboot.
– Kusalananda♦
Apr 6 at 7:16
@Kusalananda wow, thank you for pointing that out. I thought $@ was only passing the functions within the script. How can I avoid that?
– Rakib Fiha
Apr 6 at 7:24
4
Adding a script tosudoersdoesn't make it magically run without needingsudo. It simply tells thesudocommand it's allowed to let the user run that script. You still need to invokesudo.
– roaima
Apr 6 at 7:42
add a comment |
You can add your script in /etc/sudoers (preferably using `visudo) so that it is accessible to the user.
user ALL= /path/to/script
Then the user will able to execute path/to/script without sudo.
answered Apr 6 at 7:12
user5325user5325
864
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Note that since the script simply executes"$@", this would allow the user to execute anything with root privileges, e.g.sudo /path/to/script reboot.
– Kusalananda♦
Apr 6 at 7:16
@Kusalananda wow, thank you for pointing that out. I thought $@ was only passing the functions within the script. How can I avoid that?
– Rakib Fiha
Apr 6 at 7:24
4
Adding a script tosudoersdoesn't make it magically run without needingsudo. It simply tells thesudocommand it's allowed to let the user run that script. You still need to invokesudo.
– roaima
Apr 6 at 7:42
add a comment |
You can add your script in /etc/sudoers (preferably using `visudo) so that it is accessible to the user.
user ALL= /path/to/script
Then the user will able to execute path/to/script without sudo.
answered Apr 6 at 7:12
user5325user5325
864
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
You can add your script in /etc/sudoers (preferably using `visudo) so that it is accessible to the user.
user ALL= /path/to/script
Then the user will able to execute path/to/script without sudo.
answered Apr 6 at 7:12
user5325user5325
864
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 6 at 7:12
user5325user5325
864
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered Apr 6 at 7:12
user5325user5325
864
answered Apr 6 at 7:12
user5325user5325
864
864
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user5325 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Note that since the script simply executes"$@", this would allow the user to execute anything with root privileges, e.g.sudo /path/to/script reboot.
– Kusalananda♦
Apr 6 at 7:16
@Kusalananda wow, thank you for pointing that out. I thought $@ was only passing the functions within the script. How can I avoid that?
– Rakib Fiha
Apr 6 at 7:24
4
Adding a script tosudoersdoesn't make it magically run without needingsudo. It simply tells thesudocommand it's allowed to let the user run that script. You still need to invokesudo.
– roaima
Apr 6 at 7:42
add a comment |
Note that since the script simply executes"$@", this would allow the user to execute anything with root privileges, e.g.sudo /path/to/script reboot.
– Kusalananda♦
Apr 6 at 7:16
@Kusalananda wow, thank you for pointing that out. I thought $@ was only passing the functions within the script. How can I avoid that?
– Rakib Fiha
Apr 6 at 7:24
4
Adding a script tosudoersdoesn't make it magically run without needingsudo. It simply tells thesudocommand it's allowed to let the user run that script. You still need to invokesudo.
– roaima
Apr 6 at 7:42
Note that since the script simply executes
"$@", this would allow the user to execute anything with root privileges, e.g. sudo /path/to/script reboot.– Kusalananda♦
Apr 6 at 7:16
Note that since the script simply executes
"$@", this would allow the user to execute anything with root privileges, e.g. sudo /path/to/script reboot.– Kusalananda♦
Apr 6 at 7:16
@Kusalananda wow, thank you for pointing that out. I thought $@ was only passing the functions within the script. How can I avoid that?
– Rakib Fiha
Apr 6 at 7:24
@Kusalananda wow, thank you for pointing that out. I thought $@ was only passing the functions within the script. How can I avoid that?
– Rakib Fiha
Apr 6 at 7:24
4
4
Adding a script to
sudoers doesn't make it magically run without needing sudo. It simply tells the sudo command it's allowed to let the user run that script. You still need to invoke sudo.– roaima
Apr 6 at 7:42
Adding a script to
sudoers doesn't make it magically run without needing sudo. It simply tells the sudo command it's allowed to let the user run that script. You still need to invoke sudo.– roaima
Apr 6 at 7:42
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510855%2fsudo-without-sudo-implying-sudo-in-script%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Why can't you execute the script like
$ sudo ./script.sh?– 0xSheepdog
Apr 6 at 6:36
@0xSheepdog Thank you. I have updated the question. I dont know, just want to try I guess.
– Rakib Fiha
Apr 6 at 6:38
1
Why don't you just add sudo to the function?
start_one() { sudo systemctl ...?– glenn jackman
Apr 6 at 11:24
Sorry for late reply, because if I want to make a systemd service for my script, including sudo within the script becomes weird
– Rakib Fiha
2 days ago