Shell 脚本 - Sudo 权限随着时间的推移而丢失

发布于 2024-11-04 21:18:32 字数 369 浏览 0 评论 0原文

我制作了一个简单的 bash 脚本，需要在整个脚本中保留其超级用户权限。不幸的是，但可以理解的是，当 sleep 发生时，脚本会失去其 sudo 提升的权限。对我来说不好：

sudo echo "I am sudo!" # Asks for passwords
sleep(60)
sudo echo "I am sudo!" # Need to enter password again.

我考虑过用 while 循环替换 sleep 来保持 sudo 的活动，但我很确定有更好的选项可以使 sudo - 权限在整个脚本中保留？

谢谢

原文

I've made a simple bash script that need to keep it's super-user privileges throughout the script. Unfortunately, but understandable the script looses its sudo-eleveted permissions when the sleep occurs. Not good for me:

sudo echo "I am sudo!" # Asks for passwords
sleep(60)
sudo echo "I am sudo!" # Need to enter password again.

I thought about replacing the sleep with a while-loop that keeps the sudo alive, but I am pretty sure that there's better options available to make the sudo-permissions stay throughout the script?

Thanks

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

路弥 2024-11-11 21:18:32

sudo 的灵活性被广泛低估。这会导致非常糟糕的实践（例如 sudo su - 炮弹手术方法）。

更好的方法是专门允许您想要允许的命令，不使用密码：

phill = NOPASSWD: /bin/ls, /usr/bin/lprm

您可以选择对以特定管理员用户身份运行的特定主机中的特定用户执行此操作。您甚至可以阻止用户将 shell 转义符作为参数传递。您可以使 sudo 阻止启动的程序动态执行更多应用程序等。您将需要阅读 sudoers 的手册页（以及请务必阅读编辑此特殊文件的步骤！）。

这里是一些小东西，（从这里）：

User_Alias     OPERATORS = joe, mike, jude
Runas_Alias    OP = root, operator
Host_Alias     OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm

OPERATORS ALL=ALL
#The users in the OPERATORS group can run any command from any terminal.

linus ALL=(OP) ALL
# The user linus can run any command from any terminal as any user in the OP group (root or operator).

user2 OFNET=(ALL) ALL
# user user2 may run any command from any machine in the OFNET network, as any user.

user3 ALL= PRINTING
# user user3 may run lpc and lprm from any machine.

go2linux ALL=(ALL) ALL
# user go2linux may run any command from any machine acting as any user. (like Ubuntu)

 If you want not to be asked for a password use this form
go2linux ALL=(ALL) ALL NO PASSWD: ALL

The flexibility of sudo is widely under-estimated. This leads to very poor practices (like the sudo su - canon-ball surgery method).

A much better method is to specificly allow the commands you intend to allow without use of a password:

phill = NOPASSWD: /bin/ls, /usr/bin/lprm

You can optionally do this for specific users from specific hosts running as specific admin users. You can even prevent users from passing shell escapes as parameters. You can make sudo prevent the launched program to execute further applications dynamically etc. etc. You will want to read the man-page for sudoers (and be sure to read the procedures for editing this special file!).

Here is a small taste of things, (from here):

User_Alias     OPERATORS = joe, mike, jude
Runas_Alias    OP = root, operator
Host_Alias     OFNET = 10.1.2.0/255.255.255.0
Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm

OPERATORS ALL=ALL
#The users in the OPERATORS group can run any command from any terminal.

linus ALL=(OP) ALL
# The user linus can run any command from any terminal as any user in the OP group (root or operator).

user2 OFNET=(ALL) ALL
# user user2 may run any command from any machine in the OFNET network, as any user.

user3 ALL= PRINTING
# user user3 may run lpc and lprm from any machine.

go2linux ALL=(ALL) ALL
# user go2linux may run any command from any machine acting as any user. (like Ubuntu)

 If you want not to be asked for a password use this form
go2linux ALL=(ALL) ALL NO PASSWD: ALL

回复收藏 0 原文

池木 2024-11-11 21:18:32

严格在脚本内工作（而不是编辑 sudoers 文件或通过 sudo ./script.sh 调用脚本），这就是我认为最干净的方法。

startsudo() {
    sudo -v
    ( while true; do sudo -v; sleep 50; done; ) &
    SUDO_PID="$!"
    trap stopsudo SIGINT SIGTERM
}
stopsudo() {
    kill "$SUDO_PID"
    trap - SIGINT SIGTERM
    sudo -k
}

基本上，这定义了一对用于启用和禁用 sudo 模式的函数。在运行使用 sudo 的代码之前调用 startsudo 可以使用 sudo 进行身份验证、分叉后台 sudo 刷新循环、保存循环的 PID，并设置信号陷阱以在按下 Ctrl+C 时停止 sudo 模式。调用 stopsudo 会终止循环，清除信号陷阱，并使之前使用 sudo 进行的身份验证无效。

将这些函数复制到脚本中后，像这样使用它们。

startsudo
echo "Sudo mode is active."
# whatever you want to do with sudo
stopsudo

我要感谢 @karl 内联 sudo 刷新循环的简单性，并感谢 @sehe 指出如果循环没有正常终止，则应使用信号陷阱来终止循环。这两个想法都改进了我的 btrfs 备份脚本，它使用 sudo 刷新循环来避免重新提示用户在子卷的备份花费的时间超过 sudo 的超时时间后。

Working strictly within a script (and not editing the sudoers file or calling the script via sudo ./script.sh), here's what I think the cleanest method is.

startsudo() {
    sudo -v
    ( while true; do sudo -v; sleep 50; done; ) &
    SUDO_PID="$!"
    trap stopsudo SIGINT SIGTERM
}
stopsudo() {
    kill "$SUDO_PID"
    trap - SIGINT SIGTERM
    sudo -k
}

Basically, this defines a pair of functions for enabling and disabling sudo mode. Calling startsudo before running your sudo-using code authenticates with sudo, forks a background sudo-refreshing loop, saves the loop's PID, and sets a signal trap to stop sudo mode when Ctrl+C is pressed. Calling stopsudo kills the loop, clears the signal trap, and invalidates the earlier authentication with sudo.

After copying these functions into your script, use them like this.

startsudo
echo "Sudo mode is active."
# whatever you want to do with sudo
stopsudo

I would like to thank @karl for the simplicity of inlining the sudo-refreshing loop and @sehe for pointing out that a signal trap should be used to kill the loop if it isn't killed normally. Both of these ideas improved my btrfs backup script, which uses a sudo-refreshing loop to avoid re-prompting the user after a subvolume's backup takes longer than sudo's timeout.

回复收藏 0 原文

橘香 2024-11-11 21:18:32

您可以通过添加到 /etc/sudoers 来调整此超时

Defaults timestamp_timeout=#Number of minutes

，但运行起来更容易

sudo ./worker.sh

You can adjust this timeout by adding to /etc/sudoers

Defaults timestamp_timeout=#Number of minutes

But it is much easier to run

sudo ./worker.sh

回复收藏 0 原文

夜访吸血鬼 2024-11-11 21:18:32

这是一个解决方法：

sudo echo "I am sudo!" # Asks for passwords
( while true; do sudo -v; sleep 40; done ) &   # update the user's timestamp
sudoPID=$!
# ...
sleep(60)
sudo echo "I am sudo!" # Need to enter password again.
kill -TERM $sudoPID
sudo -k  # invalidate the user's timestamp at end of script (does not require a password)

Here's a workaround:

sudo echo "I am sudo!" # Asks for passwords
( while true; do sudo -v; sleep 40; done ) &   # update the user's timestamp
sudoPID=$!
# ...
sleep(60)
sudo echo "I am sudo!" # Need to enter password again.
kill -TERM $sudoPID
sudo -k  # invalidate the user's timestamp at end of script (does not require a password)

回复收藏 0 原文

感性 2024-11-11 21:18:32

这是我的方式：

#!/bin/sh
echo "Working..."
# add you pass
echo "yourpass" >> file.pass ;sleep 5 
# Check if root
if [ `cat file.pass | sudo -S su root -c whoami` != "root" ]; then
echo "Not running as root. Exiting..."
sleep 2
echo "Cleaning..."
sleep 1
srm file.pass
echo "Cleaned"
exit 0
else
echo "Running as root. Good"
sleep 2
# and run any sudo with
cat file.pass | sudo -S su root -c ls #<any command>
fi

sleep 5
echo `cat file.pass | sudo -S su root -c whoami` "say bay bay"
# if pass no longer need
srm file.pass
echo "End session :)"
exit 0

This my way:

#!/bin/sh
echo "Working..."
# add you pass
echo "yourpass" >> file.pass ;sleep 5 
# Check if root
if [ `cat file.pass | sudo -S su root -c whoami` != "root" ]; then
echo "Not running as root. Exiting..."
sleep 2
echo "Cleaning..."
sleep 1
srm file.pass
echo "Cleaned"
exit 0
else
echo "Running as root. Good"
sleep 2
# and run any sudo with
cat file.pass | sudo -S su root -c ls #<any command>
fi

sleep 5
echo `cat file.pass | sudo -S su root -c whoami` "say bay bay"
# if pass no longer need
srm file.pass
echo "End session :)"
exit 0

回复收藏 0 原文