在Sudoers文件中的Bash脚本,但是想要在某些条件下要求根密码的脚本

时间:2022-05-01 02:09:28

I'm driven here by my weak Google-fu. I found this question to be extremely difficult to search.

我被弱小的Google-fu驱赶到这里。我发现这个问题非常难以搜索。

I wrote a bash script that checks for package updates to my Debian Wheezy load. This is not a cron job. I want the user to be able to run the script manually whenever she suspects (via an email, for example) that package updates may be available and then be able to actually download and install same.

我写了一个bash脚本,检查我的Debian Wheezy加载的包更新。这不是一项任务。我希望用户能够在怀疑(例如通过电子邮件)包装更新可用时手动运行脚本,然后能够实际下载并安装相同的脚本。

If the script is run and updates are found, I want the script to then ask the user for the root password, then open Aptitude, so the user can see what package updates are available.

如果运行脚本并找到更新,我希望脚本然后询问用户root密码,然后打开Aptitude,以便用户可以看到可用的软件包更新。

I have the script running on several hosts, but on one of the hosts, I want to have the script alert me if the host does not currently have a network connection before checking for updates. For this, I use the "route" command, which requires root privileges to run. I don't, however, wish to put "route" into said host's sudoers file. So, on the particular host that I need network connectivity confirmation, I have referenced the script itself in that host's sudoers file:

我有几个主机上运行的脚本,但在其中一个主机上,如果主机在检查更新之前当前没有网络连接,我想让脚本提醒我。为此,我使用“route”命令,该命令需要root权限才能运行。但是,我不希望将“路线”放入主持人的sudoers文件中。因此,在我需要网络连接确认的特定主机上,我在该主机的sudoers文件中引用了脚本本身:

booboo ALL = NOPASSWD: /home/booboo/Scripts/chk4updates.sh

Here is a look at an outline of what the script does:

下面是脚本的功能概述:

host=$(hostname)

if [ $host = travel ] ; then

    ...check for a connection, using the "route" command...
fi

...check for package updates...

if [ ...updates are found... ] ; then

    gksu aptitude
fi

For all of the non-problem hosts, if updates are found, I get the gksu window that asks for the root password so that "aptitude" can be opened. But, for the host named "travel", the script opens aptitude without asking for a root password. I don't want this to happen.

对于所有非问题主机,如果找到更新,我会获得要求root密码的gksu窗口,以便可以打开“aptitude”。但是,对于名为“travel”的主机,该脚本会打开aptitude而不需要root密码。我不希望这种情况发生。

I've tried a few things, but nothing has worked for me. Do I need to modify the problem host's sudoers file, or can I add a command to the script that will give me my desired behavior? Something like:

我尝试了一些东西,但没有任何对我有用。我是否需要修改问题主机的sudoers文件,或者我可以在脚本中添加一个命令来提供我想要的行为吗?就像是:

...
...check for package updates...

if [ ...updates are found... ] ; then

    if [ $host = travel ] ; then

        ...some command so that a root password is required to open aptitude...

    else

        gksu aptitude
    fi
fi

TIA!

1 个解决方案

#1


1  

When you are root, you can switch to a regular user at any point with su.

当你是root用户时,你可以在任何时候使用su切换到普通用户。

if [ -z "$SUDO_USER" ]; then
    gksudo aptitude
else
    su -c 'gksudo aptitude' "$SUDO_USER"
fi

Your setup seems extremely brittle and convoluted, though. There really is no such thing as a safe sudo shell script. The requirement to not add route to the sudoers file seems suspicious. Is there really no way you can refactor this so that the special case is handled on travel somehow? Maybe write a wrapper for route which you can put in sudoers and which checks that it's called from the right script, for example.

但是,您的设置似乎非常脆弱和错综复杂。确实没有安全的sudo shell脚本这样的东西。不向sudoers文件添加路由的要求似乎是可疑的。难道你真的没有办法重构这个特殊情况以某种方式处理旅行吗?也许为路由写一个包装器,你可以把它放在sudoers中,并检查它是否从正确的脚本中调用,例如。

However, I would actually go with ping instead of route -- after all, route only tells you whether the route is set up locally, but won't reveal if there is a connectivity problem to the outside world. Then the rest of your question is moot.

但是,我实际上会使用ping而不是路由 - 毕竟,路由只会告诉您路由是否在本地设置,但不会显示外部世界是否存在连接问题。然后你的其余问题没有实际意义。

(Or maybe even use something like cron-apt and remove the whole problem completely.)

(或者甚至可以使用类似cron-apt的东西并完全删除整个问题。)

#1


1  

When you are root, you can switch to a regular user at any point with su.

当你是root用户时,你可以在任何时候使用su切换到普通用户。

if [ -z "$SUDO_USER" ]; then
    gksudo aptitude
else
    su -c 'gksudo aptitude' "$SUDO_USER"
fi

Your setup seems extremely brittle and convoluted, though. There really is no such thing as a safe sudo shell script. The requirement to not add route to the sudoers file seems suspicious. Is there really no way you can refactor this so that the special case is handled on travel somehow? Maybe write a wrapper for route which you can put in sudoers and which checks that it's called from the right script, for example.

但是,您的设置似乎非常脆弱和错综复杂。确实没有安全的sudo shell脚本这样的东西。不向sudoers文件添加路由的要求似乎是可疑的。难道你真的没有办法重构这个特殊情况以某种方式处理旅行吗?也许为路由写一个包装器,你可以把它放在sudoers中,并检查它是否从正确的脚本中调用,例如。

However, I would actually go with ping instead of route -- after all, route only tells you whether the route is set up locally, but won't reveal if there is a connectivity problem to the outside world. Then the rest of your question is moot.

但是,我实际上会使用ping而不是路由 - 毕竟,路由只会告诉您路由是否在本地设置,但不会显示外部世界是否存在连接问题。然后你的其余问题没有实际意义。

(Or maybe even use something like cron-apt and remove the whole problem completely.)

(或者甚至可以使用类似cron-apt的东西并完全删除整个问题。)