152

To do a patch manually I must type this command 

sudo ./playback_delete_data_patch.sh 09_delete_old_data_p.sql

There is a space just before the 09: 

sudo ./playback_delete_data_patch.sh [space] 09_delete_old_data_p.sql

How can I run this inside a script?

There are also several other commands but this one is giving trouble.

Zanna
  • 70,465
user251948
  • 1,521
  • 2
  • 10
  • 4
  • 3
    Just put it in the script, what's the problem? – Lie Ryan Feb 24 '14 at 22:31
  • 9
    @LieRyan - the sudo password - the script won't be able to run fully if someone is not there to enter it. – Wilf Feb 24 '14 at 23:04
  • My system just runs them fine without prompting. Ubuntu 16.04 in October 2017. You have messed up your sudoers setup . No big deal. It just needs fixed. – SDsolar Oct 11 '17 at 22:02
  • 6
    @SDsolar Your system is the one that's messed up; it's a minor security vulnerability to not prompt for the password (makes users more vulnerable to some types of social engineering attacks). – wizzwizz4 Feb 24 '18 at 13:32
  • How you run the script (with regard to sudo) does affect the environment (i.e. available variables), though. This is important in some cases, for example with gsettings. – caw Jun 15 '21 at 04:41

7 Answers7

183

It is rarely a good idea to have sudo inside scripts. Instead, remove the sudo from the script and run the script itself with sudo:

sudo myscript.sh

That way, all commands within the script will be run with root privileges and you only need to give the password once when launching the script. If you need a particular command within the script to be run without sudo privileges, you can run it as a regular user with (thanks Lie Ryan):

sudo -u username command

The space is irrelevant, it should not affect anything, there is always a space between a command and its arguments.

Community
  • 1
terdon
  • 100,812
  • 48
    there may be commands in the script that don't need the root privilege, you can drop the root privilege temporarily for those commands by using sudo -u username – Lie Ryan Feb 25 '14 at 22:01
  • In my situation, I wrote a script to fix permissions and ownership and keep forgetting to type sudo, so I put sudo before each command within the script. – Krista K Jul 30 '15 at 23:03
  • 1
    @ChrisK yeah, don't do that. Just run sudo script.sh instead. It is both simpler and easier to do and makes for a more legible script. – terdon Jul 31 '15 at 08:26
  • 80
    A lot of scripts I write do a whole bunch of user interaction and/or error checking. Then one command at the end - something like rsync - needs to be run as root. Why would I want to make the whole thing run elevated and leave myself open to many lines of code that could contain serious errors or vulnerabilities with root access - especially while debugging - when only one or a few commands require that access? – Joe Sep 26 '15 at 04:28
  • 2
    @Joe fair enough. Changed the "never a good idea" to "rarely". – terdon Sep 28 '15 at 21:04
  • 16
    @Joe has a really good point here. Also when one says don't do that, it would be nice to know exactly why is that, or at least, in which context shouldn't I do that, and why – arainone Sep 24 '16 at 10:50
  • 1
    @arainone I didn't say don't do it, I said it is rarely a good idea. Largely because this means you can't run the script automatically since you will need to enter the password each time you are asked. – terdon Sep 24 '16 at 12:03
  • 5
    When sudo is run on a script it sets the $SUDO_USER environmental variable to the user who called the script. Useful in conjunction with sudo -u – Zell Faze Jan 02 '17 at 17:30
  • 1
    @terdon - well if you run the script like sudo script.sh you'll have to enter your password initially. It seems the ubuntu default is to have a several-minute sudo timeout, so whether your put 1 or more sudo commands in the script, or do it outside, you'll likely only be entering the password one time, unless the script is very long running. – BeeOnRope Aug 07 '17 at 19:17
  • 1
    @BeeOnRope if you run with sudo script you will never need to enter the password again, not even if it runs for days. The script will be launched by the root user and root can run sudo with no password. That's the whole point of using sudo script instead of calling sudo inside the script. – terdon Aug 10 '17 at 12:57
  • @terdon - I know, I don't think I suggested otherwise above? I was pointing out that usually the entire script will run with a single sudo prompt even with multiple sudo commands inside the script due to a non-zero sudo timeout. Yes it will prompt you again for long running scripts. Usually you know if your script will fall into that category though. The downsides of running the entire script with sudo are pretty significant as well. – BeeOnRope Aug 10 '17 at 16:22
  • 2
    @BeeOnRope no, that's what I am saying. It will never prompt for a password for any sudo calls inside the script if you have launched the script with sudo script. The timeout has nothing to do with it. Once launched with sudo, the script is running as root and root never needs to enter a password for sudo. You can test this with sudo -i (start a root shell) then sudo ls and you will see it doesn't prompt you. To be extra sure, you can run sudo -k to reset the password timestamp and it will still not prompt. Sudo will never prompt if you're root. – terdon Aug 10 '17 at 16:25
  • 17
    @terdon You aren't listening. I know that if you run the script as root it will never prompt you for sudo. I'm comparing that with not running the script as root and instead putting explicit sudo calls in the script, because elevating the entire script to root may be a terrible idea if there are only a handful of narrow actions that need root. In that context I was responding specifically to your comment: "Largely because this means you can't run the script automatically since you will need to enter the password each time you are asked." – BeeOnRope Aug 10 '17 at 16:31
  • 2
    ... and I was pointing out that for most scripts, you will be printed for credentials the same number of times (zero or once) whether you choose run run sudo script.sh or just script.sh with certain commands prefixed with sudo within the script. The only except is scripts that run longer than the sudo timeout. Essentially, I'm agreeing with and providing some additional thoughts around @Joe's comment above. – BeeOnRope Aug 10 '17 at 16:33
  • I think the advice is not good because in my case, there are commands that must be ran as non-root and with the real logged user (due to forwardagent usage inside). – Loenix Aug 23 '19 at 07:29
  • @Loenix you can always use sudo to switch to that normal user then. But, as I said in the answer, it is rarely a good idea to have to sudo to root in the script. Rarely, not never. So maybe in your case it's useful. – terdon Aug 23 '19 at 15:24
  • I use sudo inside interactive scripts all the time. And so do many people. It is patently false to say this is not done or is a good idea. You can STILL invoke the script with sudo with no ill effect. There are very good reasons NOT to invoke the entire script with sudo and to localise the sudo lines to those requiring sudo levels of access. – RichieHH Oct 12 '19 at 08:37
  • 1
    @HörmannHH please read my answer. Preferably, also read the many other comments that have already said the same thing as you. I didn't say never, I said it is rarely a good idea. I also never said anything about interactive scripts, and nor did the question. In fact, the whole point is about non-interactive scripts. – terdon Oct 12 '19 at 10:34
  • if I want to follow this advice but with a generic script, I would generally use $USER. I.e. sudo -u $USER. However if I start the script with sudo then $USER will be root, right? So is there a way to "generically" have most commands use sudo but some commands in the script use the users actual username?? – Geronimo May 28 '21 at 13:07
  • 1
    @Geronimo you have $SUDO_USER when launching things with sudo. Try sudo env | grep USER to see. – terdon May 28 '21 at 13:08
63

You could possibly modify the sudoers file.

Run sudo visudo.

Add an entry for your username and the script that you would like to run without being asked for a password.

username ALL=(ALL) NOPASSWD: /path/to/script
Klaus-Dieter Warzecha
  • 2,750
  • 3
    Didn't work for me, but thanks, good to know this exists. Perhaps I got the syntax wrong. – Krista K Jul 30 '15 at 23:02
  • 14
    Not sure anyone mentioned it, but you must terminate all login sessions of that user after you have edited the sudoers file. – escape-llc Nov 12 '15 at 17:54
  • 2
    Just to clarify here it is not the script that contains the "sudo ./playback_delete_data_patch.sh 09_delete_old_data_p.sql" line that should be specified in the sudoers file but the playback_delete_data_patch.sh script or whatever other command you want that user and/or their scripts to be able to run through sudo without specifying a password. – MttJocy Jul 08 '16 at 19:42
  • I'm trying to use this for a grub reboot to windows script. Code is: sudo grub-reboot "$(grep -i 'windows' /boot/grub/grub.cfg|cut -d"'" -f2)" && sudo reboot This works in a terminal but not in a shell script prepended with #!/bin/sh & set to executable. Any thoughts why this would be? Mousepad colouring suggests the && sudo reboot is being treated as if in quotes? I tried removing the sudos from that line and it didn't change anything. Thanks! – dez93_2000 Apr 22 '20 at 20:24
  • Turns out I needed to also add /usr/sbin/grub-reboot to /etc/sudoers and remove 'sudo' from before reboot – dez93_2000 Apr 22 '20 at 20:40
  • Perfect! Thanks, added pia.sh (Private Internet Access) to crontab with sudo, edited visudo (fith ALL=(ALL) NOPASSWD: /home/fith/pia.sh) worked! – EODCraft Staff Nov 21 '21 at 15:24
  • Great tip, thanks! – Danijel Dec 09 '21 at 09:34
33

You could try something like: 

echo "PASSWORD" | sudo -S ./playback_delete_data_patch.sh 09_delete_old_data_p.sql

This is not the most secure thing to do since you are writing a sudoer password in plain text. To make it a little more secure you can create a variable and read the sudo password into the variable and then you could execute the command as:

echo $PASSWORD | sudo -S ./playback_delete_data_patch.sh 09_delete_old_data_p.sql

Also, if you do not mind all your commands being executed as root you can simple execute your script using sudo, as previously suggested.

sudo ./myscript
dessert
  • 39,982
Jibbers
  • 542
  • 4
  • 9
25

This answer is similar to terdon's answer. I would also suggest running the main script with sudo so the script can run without having to ask for the user's password during its execution.

However, in case you want to drop root privileges to some of the commands and run them as the actual user who invoked the command with sudo, you can check for the $SUDO_USER variable to figure out the original user.

This is an example script of how you could achieve that:

#!/bin/bash

# ref: https://askubuntu.com/a/30157/8698
if ! [ $(id -u) = 0 ]; then
   echo "The script need to be run as root." >&2
   exit 1
fi

if [ $SUDO_USER ]; then
    real_user=$SUDO_USER
else
    real_user=$(whoami)
fi

# Commands that you don't want running as root would be invoked
# with: sudo -u $real_user
# So they will be run as the user who invoked the sudo command
# Keep in mind if the user is using a root shell (they're logged in as root),
# then $real_user is actually root
# sudo -u $real_user non-root-command

# Commands that need to be ran with root would be invoked without sudo
# root-command
Dan
  • 13,119
6

There is actually a much simpler way to do this. For portability, this is my implementation but feel free to manipulate it to suit your need.

Enter your sudo password as a parameter when starting the script, capture it, and echo it with each command which will prompt for the sudo password.

#!/bin/bash

PW=$1
echo $PW | ./playback_delete_data_patch.sh 09_delete_old_data_p.sql  
./command_wo_sudo.sh <param>
echo $PW | ./other_command_requires_sudo.sh <param>

You can add a prompt and capture after the script is kicked off like so:

echo "enter the sudo password, please"
read PW

But if someone else monitors what's run on the node; has access to logs created by it; or is just looking over your should randomly when you run a test, that could compromise security.

This also works with running commands/scripts that require a yes to continue:

echo $PW | yes | ./install.sh

The echo is in response to a prompt, so you can use anything you need to, there, if you're running other scripts that have prompts for progress, in sequential order. Make sure you know that order, though, or bad things can happen.

csworenx
  • 122
  • That's so much more elegant and simple, I'm glad I scrolled all the way down! EDIT: wait, this will add the password to my terminal history – Job Aug 02 '18 at 09:10
  • 5
    How to ask for username/password with read: https://ryanstutorials.net/bash-scripting-tutorial/bash-input.php That should avoid this issue – Job Aug 02 '18 at 09:13
  • 3
    Add a space before the command to avoid it appearing in the history. – Emilio Grisolía Oct 16 '20 at 18:14
2
#!/bin/bash
# this declares that current user is a sudoer
sudo tee /etc/sudoers.d/$USER <<END
END

# write the content of your script here
sudo npm install hexo-cli -g
mkdir Untitled
sudo apt-get install python

# then to remove the sudo access from the current user
sudo /bin/rm /etc/sudoers.d/$USER
sudo -k
dessert
  • 39,982
Sanyam Jain
  • 152
  • 12
    This script has a very dangerous bug. For the duration of the time the script is running, the current user has elevated privileges. Furthermore, if the script crashes, these privileges are not revoked. – dotancohen Sep 15 '20 at 00:57
-2

You could try to add the user who runs the script to the sudoers file:

#give permissions to the file
sudo chmod 700 /etc/sudoers.d/useradm

sudo visudo /etc/sudoers.d/useradm

#add the following text, changing "user" but your desired user
user ALL=(ALL)NOPASSWD:ALL

#return the right permissions to the file
sudo chmod 440 /etc/sudoers.d/useradm
dessert
  • 39,982
evinhas
  • 1
  • 4
    Generally this is a poor method. If you're going to add NOPASSWD sudo rules, especially for accounts that run automation, you should at minimum be restricting them to the exact command that is run (and not ALL) – Christopher Hunter Nov 29 '18 at 01:10