From: Daniel A. S. <st...@ic...> - 2005-03-24 15:45:01
|
Tim, On 19/03/2005, at 2:50, Tim Jones wrote: > I'm sending this to Daniel and Kevin directly as my posts to the > newsgroup don't seem to percolate through. > > If we're not using expect for other parts of a project, we use a sudo > hack in this manner: > > with a variable 'pass' which contains the user's password available: > > echo $pass | sudo -S ls /etc/hosts > sudo command-to-run-as-root > sudo -k > > Of course we wrap everything in a catch, but that shows the basic > logic. > > The echo line will set the default sudo clock running, And because it > happens so quickly it stands a very slim chance of being caught by a > top or ps so the password is kept relatively secure. By resetting > sudo's timer with the -k call, we alleviate "piggy-backed" sudo calls. > > We use this successfully in a large number of internal tools via popen > in c, a straight exec in tcl/tk, an os.system in python, and even in > REAlbasic's Shell. the only issue with this approach is that sudo may in fact not ask for a password even the first time around, e.g. if the sudoers file is configured never to ask for one (sudo is very configurable!), if the user already has a valid sudo timestamp, or if you're already running as the target user; so you may well ask the user for a password that is never actually needed... The expect solution has the advantage that it only asks the user for a password when sudo actually needs one; but OTOH, your solution is of course a fair bit simpler. Cheers, Daniel -- ** Daniel A. Steffen ** "And now for something completely ** Dept. of Mathematics ** different" Monty Python ** Macquarie University ** <mailto:st...@ma...> ** NSW 2109 Australia ** <http://www.maths.mq.edu.au/~steffen/> |