-1

I have bash-script that uses sudo commands, but in the middle I need to stop sudo-influence and then later reinstate it.

Very simple version using Pseudo code

sudo apt-get install -y synaptic
sudo ...
// I need to suspend sudo here, otherwise the folder 
// is created with root as the owner.
mkdir ~/mystuff
// then reinstate it here
sudo apt-get install -y ssllib

Does sudo request the passphrase as soon as it starts to run a bash script - or- does it only ask when it encounters the first "sudo" line?

If so, then I think I may be able to move all the non-sudo stuff to the top. But, the problem there is I will have to wait until the first "sudo" line is encountered to then enter the passphrase.

LinuxFerLife
  • 432
  • Those are two questions, the second is answered in the linked question. – dessert Oct 06 '17 at 21:36
  • You should not at all need to use sudo in a script – if the whole script runs as root (called by e.g. cron or with sudo /path/to/script) there's no need for sudo inside it. – dessert Oct 06 '17 at 21:42
  • see terdon's answer which shows how to use sudo in a script to avoid running a particular command as root. The password will only be requested when the command is encountered see test – Zanna Oct 07 '17 at 09:20
  • @dessert: The script is for use after a fresh install of Ubuntu. It installs a bunch of things like Samba etc then creates Folders and Shares for them. It also creates block devices for/with cifs. I run the script manually from the CLI and need the created stuff to be owned by the user. – LinuxFerLife Oct 07 '17 at 13:47
  • @X10WannaBe Let's discuss it further in this chatroom: https://chat.stackexchange.com/rooms/66774/suspend-sudo-in-bash-script – dessert Oct 07 '17 at 14:28

2 Answers2

2

sudo offers the option -u for that, see man sudo:

-u user, --user=user
 Run the command as a user other than the default target user (usually root).
 The user may be either a user name or a numeric user ID(UID) prefixed
 with the ‘#’ character (e.g.  #0 for UID 0).  When running commands as a UID,
 many shells require that the ‘#’ beescaped with a backslash (‘\’).
 Some security policies may restrict UIDs to those listed in the password
 database. The sudoers policyallows UIDs that are not in the password database
 as long as the targetpw option is not set. Other security policies may
 not support  this.

For your example this would be:

sudo -u USERNAME mkdir /home/USERNAME/mystuff
Eliah Kagan
  • 117,780
dessert
  • 39,982
  • Thanks, very much appreciated dessert. Thank you also for taking the time to show me an example. I do check the "man" but all too often the descriptions are way too cryptic, assuming one is a seasoned Linux user. You are someone who actually answers the originally asked question rather than eulogizing around the topic. A refreshing change. – LinuxFerLife Oct 07 '17 at 13:39
2

Given your current script, no, the mkdir command won't be run with sudo. sudo doesn't magically start affecting commands which it does not start. Nor does it magically ask for password before it is ever run.

What might be happening is that you might have run your entire script with sudo. If that's the case, then you can check if that's true, and either ask the user to run it without sudo:

if [ -n "$SUDO_COMMAND" ]
then
    echo "Please don't run this script with sudo."
    exit
fi

Or, switch to the actual user for these commands:

if [ -n "$SUDO_USER" ]
then
    sudo -iu "$SUDO_USER" sh -c 'mkdir ~/mystuff'
fi

You might need the sh -c because ~ is expanded by the shell running the script, and depending on sudo settings, that shell might think the home directory is root's.

muru
  • 197,895
  • 55
  • 485
  • 740
  • 1
    @dessert ha ha, too much markdown. :) – muru Oct 06 '17 at 21:46
  • Sarcasm is always such a help. Contrary to comments above, MY version of Ubuntu DID create the Folders with Root ownership. Whether sudo should or should not do that is moot. – LinuxFerLife Oct 07 '17 at 13:42
  • @X10WannaBe indeed sarcasm is a help when you refuse to provide the actual script and how it was run, and instead provide pseudocode. Maybe do better asking questions next time? – muru Oct 07 '17 at 17:36