0

I have a script:

setup.sh

read -s -p "Enter your password to use in script: " PASSWORD

echo -e $PASSWORD | sudo -S brew cask install junk

echo "Done Installing junk, running step 1..."
./step1.sh

step1.sh

echo -e $PASSWORD | sudo -S some-other-command

Obviously the $PASSWORD will be empty in step1.sh, and usually you export a variable to use globally in other scripts it invokes:

export PASSWORD

Or you can use it as an script argument:

setup.sh

read -s -p "Enter your password to use in script: " PASSWORD

echo -e $PASSWORD | sudo -S brew cask install junk

echo "Done Installing junk, running step 1..."
./step1.sh $PASSWORD

step1.sh

echo -e $1 | sudo -S some-other-command

I'm assuming the first example using an export isn't a good idea from a security perspective (however, I'm not sure). Is the second usable and secure? Also, if not, is there a better way to do this without relying on sudo caching the password (I have a large list of scripts that take time to execute and the cache will probably timeout and I want the entire script to be unattended)?

Improve this question

2 Answers 2

Reset to default
1

Don't send/use password as plaintext.

Run the first script as sudo first.sh and then do all privilege drop (if needed) inside the script, then call the second script normally from the first script.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Unfortunately this is for an unattended setup set of scripts so this approach will not work.
0

It's never a good idea to store the password in plain text; especially in a script file, that can potentially get shared with other users.

But if you have to use sudo in a non-interactive way, you can try this:

read -s -p "Enter your password to use in script: " PASSWORD

export SUDO_ASKPASS=`mktemp -p ~`

cat > $SUDO_ASKPASS <<SUDO_ASKPASS_EOF
#!/bin/bash
cat <<EOF
$PASSWORD
EOF
SUDO_ASKPASS_EOF

chmod 500 $SUDO_ASKPASS


sudo -A -S brew cask install junk # Notice the additional `-A`

./step1.sh

# Any more commands as required...
rm $SUDO_ASKPASS

Similarly, add -A in further sudo invocations, in step1.sh...

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.