Storing sudo password as variable in script - is it safe?
Is storing my password this way safe?
echo 'Write sudo password (will not be displayed) and hit enter'
read -s password
I need it开发者_如何学运维 to make commands like this:
echo $password | sudo -S apt-get install -y foo bar
No because you can see it via /proc/$PID/cmdline
.
I suggest not to try to reinvent security tools. The sudo
program can cache your password.
A better approach would be to edit your sudoers file and add your program that don't require password...
Do a sudo visudo
and add following to enable your admin group to run apt-get w/o password:
%admin ALL = NOPASSWD: /usr/bin/apt-get
See sudoers man page for more detail.
echo $password | sudo -S apt-get install -y foo bar
This is a bit dangerous. If the user is already authenticated to sudo, sudo won't request the password again and it will be forwarded to apt-get, with could lead to strange results (for example, if the postinstall script asks a question). I would suggest to use
sudo -k # remove previous sudo timestamp
echo $password | sudo -v -S # create a new one for 15 minutes
sudo apt-get ... # execute the command
instead.
EDIT: Dirk is correct about the password being visible for a very short time while echo
is executed. Please see my answer as an extended comment rather than an answer to your question.
sudo
is open source, so you can compile your own version which takes the password as a command line parameter.
精彩评论