开发者

Storing sudo password as variable in script - is it safe?

Is storing my password this way safe?

echo 'Write sudo password (will not be displayed) and hit enter'
read -s password

I need it开发者_如何学运维 to make commands like this:

echo $password | sudo -S apt-get install -y foo bar


No because you can see it via /proc/$PID/cmdline.

I suggest not to try to reinvent security tools. The sudo program can cache your password.


A better approach would be to edit your sudoers file and add your program that don't require password...

Do a sudo visudo and add following to enable your admin group to run apt-get w/o password: %admin ALL = NOPASSWD: /usr/bin/apt-get

See sudoers man page for more detail.


echo $password | sudo -S apt-get install -y foo bar 

This is a bit dangerous. If the user is already authenticated to sudo, sudo won't request the password again and it will be forwarded to apt-get, with could lead to strange results (for example, if the postinstall script asks a question). I would suggest to use

sudo -k                         # remove previous sudo timestamp
echo $password | sudo -v -S     # create a new one for 15 minutes
sudo apt-get ...                # execute the command

instead.

EDIT: Dirk is correct about the password being visible for a very short time while echo is executed. Please see my answer as an extended comment rather than an answer to your question.


sudo is open source, so you can compile your own version which takes the password as a command line parameter.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜