Clever Geek Handbook

Shell script gain superuser privilege without running as sudo

Here's my script:

script.sh

sudo cat /etc/passwd-

If I am in a session sudo

(for example I ran another command from a sudo

few minutes ago) and now run

script.sh

the script will access the sudo

. However, if I run cat /etc/passwd-/

I get permission denied.

As a user, I would not expect script.sh to be able to get super user privileges so easily (for example, without granting superuser privilege access using sudo script.sh

).

Is this the expected behavior? Is it customizable?

I see the behavior is completely similar to sudo su

, e, g, potentially giving the superuser access to whatever script you run in that session, but even worse because you might not even know about it and I don't know when it is will end (at least not without manual verification)

+3


source to share


1 answer


Is this the expected behavior?

Yes, indeed, this is expected behavior. This is the responsibility of the user's cached credentials for sudo.

Can I customize it?

Yes, it is customizable.

And I think that your concern about security is valid. Executing script.sh

in a terminal where the command is being executed sudo

before (within a certain timeout) will grant the script superuser privilege if the script is written with explicit commands sudo

.

You can avoid the script not asking for a password on startup as sudo by running it with:

sudo -k script.sh

It will prompt for a password regardless of any previous sudo command / session.

And run script.sh without sudo ie with only script.sh

and still prompt for password for sudo / s command:

You can change the timeout value permanently (sudo duration maintains a session):

run sudo visudo

Then change the line:



Defaults        env_reset

For

Defaults        env_reset,timestamp_timeout=0

Save and exit (ctrl + X and Y)

This makes sure sudo asks for a password every time it starts up.

Or, if you don't want to change it all the time and want your script to ask for a password at least once (while saving the session), you can change your script like this:

sudo -k first-command-with-sudo
sudo second-command
sudo third
and so on

This script will ask for a password at least once regardless of previous sudo / s commands or sessions.

If you don't know (or don't have access) to the content of the script script.sh (it may have sudo commands or not)

And you want to be sure that any sudo command will make sure to prompt for a password at least once, then run sudo -K

(capital K) before running the script.

Now if you run script.sh

, and if it contains a sudo command, it will definitely ask for a password.

+3


source






More articles:


All Articles