Shell脚本 - Sudo权限随着时间的推移而丢失

时间:2011-05-03 08:06:56

标签: bash shell ubuntu sudo

我制作了一个简单的bash脚本,需要在整个脚本中保持超级用户权限。不幸的是,但是可以理解的是,当sudo发生时,脚本会丢失其sleep - 所获得的权限。对我不好:

sudo echo "I am sudo!" # Asks for passwords
sleep(60)
sudo echo "I am sudo!" # Need to enter password again.

我想用一个保持sudo活着的while循环替换sleep,但我很确定有更好的选项可以让sudo - 权限保留在整个脚本中吗? / p>

由于

6 个答案:

答案 0 :(得分:10)

sudo的灵活性被广泛低估。这导致非常糟糕的做法(如sudo su -佳能球手术方法)。

更好的方法是明确允许您打算在不使用密码的情况下允许的命令 

phill = NOPASSWD: /bin/ls, /usr/bin/lprm

您可以选择对作为特定管理员用户运行的特定主机的特定用户执行此操作。您甚至可以阻止用户将shell转义作为参数传递。您可以使sudo阻止已启动的程序动态执行其他应用程序等。您需要read the man-page for sudoers (and be sure to read the procedures for editing this special file!)

这是一些小事,(from here):

User_Alias     OPERATORS = joe, mike, jude
Runas_Alias    OP = root, operator
Host_Alias     OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm

OPERATORS ALL=ALL
#The users in the OPERATORS group can run any command from any terminal.

linus ALL=(OP) ALL
# The user linus can run any command from any terminal as any user in the OP group (root or operator).

user2 OFNET=(ALL) ALL
# user user2 may run any command from any machine in the OFNET network, as any user.

user3 ALL= PRINTING
# user user3 may run lpc and lprm from any machine.

go2linux ALL=(ALL) ALL
# user go2linux may run any command from any machine acting as any user. (like Ubuntu)

 If you want not to be asked for a password use this form
go2linux ALL=(ALL) ALL NO PASSWD: ALL

答案 1 :(得分:5)

您可以通过添加到/ etc / sudoers

来调整此超时 
Defaults timestamp_timeout=#Number of minutes

但是运行起来要容易得多

sudo ./worker.sh

答案 2 :(得分:4)

这是一种解决方法:

sudo echo "I am sudo!" # Asks for passwords
( while true; do sudo -v; sleep 40; done ) &   # update the user's timestamp
sudoPID=$!
# ...
sleep(60)
sudo echo "I am sudo!" # Need to enter password again.
kill -TERM $sudoPID
sudo -k  # invalidate the user's timestamp at end of script (does not require a password)

答案 3 :(得分:4)

严格地在脚本中工作(而不是编辑sudoers文件或通过sudo ./script.sh调用脚本),这是我认为最干净的方法。

startsudo() {
    sudo -v
    ( while true; do sudo -v; sleep 50; done; ) &
    SUDO_PID="$!"
    trap stopsudo SIGINT SIGTERM
}
stopsudo() {
    kill "$SUDO_PID"
    trap - SIGINT SIGTERM
    sudo -k
}

基本上,这定义了一对用于启用和禁用sudo模式的功能。在运行sudo-using代码之前调用startsudo使用sudo进行身份验证,分配后台sudo-refresh循环,保存循环的PID,并设置信号陷阱以在按下Ctrl + C时停止sudo模式。调用stopsudo会终止循环,清除信号陷阱,并使用sudo使早期的身份验证无效。

将这些功能复制到脚本后,请像这样使用它们。

startsudo
echo "Sudo mode is active."
# whatever you want to do with sudo
stopsudo

我要感谢@karl简单介绍sudo-refresh循环和@sehe指出如果没有正常杀死循环,应该使用信号陷阱来杀死循环。这两个想法都改进了my btrfs backup script,它使用sudo-refresh循环来避免在子卷的备份花费的时间超过sudo超时后重新提示用户。

答案 4 :(得分:2)

这是我的方式:

#!/bin/sh
echo "Working..."
# add you pass
echo "yourpass" >> file.pass ;sleep 5 
# Check if root
if [ `cat file.pass | sudo -S su root -c whoami` != "root" ]; then
echo "Not running as root. Exiting..."
sleep 2
echo "Cleaning..."
sleep 1
srm file.pass
echo "Cleaned"
exit 0
else
echo "Running as root. Good"
sleep 2
# and run any sudo with
cat file.pass | sudo -S su root -c ls #<any command>
fi

sleep 5
echo `cat file.pass | sudo -S su root -c whoami` "say bay bay"
# if pass no longer need
srm file.pass
echo "End session :)"
exit 0

答案 5 :(得分:0)

为所有人获取root权限:

sudo su -
# What I need to do with root
相关问题
最新问题