1. Overview
In Linux, the sudo command allows us to execute a command or script as the superuser. However, by default, the sudo command works in an interactive mode.
In this tutorial, we’ll look at how to tell sudo to work in a non-interactive mode — for example, passing the password as a parameter to it.
Moreover, we’ll discuss other approaches to run a command as the superuser without asking for a password.
2. Passing a Password as a Parameter
First of all, let’s review the default behavior of the sudo command:
kent$ sudo cp /root/.vimrc root_vimrc
[sudo] password for kent:
kent$ ls -l root_vimrc
-rw------- 1 root root 19768 Oct 23 23:24 root_vimrcIn the example above, we’ve executed the sudo command as a regular user, kent. We want to copy root‘s Vim configuration file to the current directory.
As the output shows, sudo prompted for the password and waited for us to provide the password of the user kent to continue. After we typed the correct password, it copied the .vimrc to the current directory.
Sometimes, we want to run the sudo command in a non-interactive mode — for example, when we need to wrap this sudo command in a script.
Next, let’s see how to pass the password as a parameter to sudo.
2.1. Using the -S Option
The sudo command provides a -S option to read the password from the standard input (stdin) instead of using the terminal device.
Let’s test this option using the same command:
kent$ echo "My Pass" | sudo -S cp /root/.vimrc root_vimrc2
[sudo] password for kent:
kent$ ls -l root_vimrc2
-rw------- 1 root root 19768 Oct 23 23:34 root_vimrc2As we can see, we’ve piped the password to stdin. Even though the sudo command still displayed the prompt, this time, it didn’t wait for our input and continued executing the cp command.
2.2. Suppressing the Prompt
It’s worth mentioning that when we use the -S option, sudo will write the prompt to standard error (stderr) instead of standard out (stdout).
If we want, we can quickly suppress the password prompt using redirection:
kent$ echo "My Password" | sudo -S cp /root/.vimrc root_vimrc3 2>/dev/null
kent$ ls -l root_vimrc3
-rw------- 1 root root 19768 Oct 23 23:44 root_vimrc32.3. The Security Risks
So far, we’ve successfully made sudo work in a non-interactive mode. However, if we revisit our commands, we can see that we passed passwords as clear text to the sudo command.
If we execute those commands in a terminal, the passwords may be stored in the command history. Also, if we wrap the commands in a shell script, the script file will hold the password.
That is, this approach may create security risks. Particularly, when we apply it on a public server, we may leak our password unconsciously.
Next, let’s see another way to execute a command with the sudo command without providing passwords.
3. Execute a Command as the Superuser Without Asking for a Password
3.1. A Script Example
First, let’s create a simple shell script to make the explanation easier:
kent$ cat cpvimrc.sh
#!/bin/bash
echo "Copy root's .vimrc as root_vimrc"
cp /root/.vimrc root_vimrc
echo "File copied:"
ls -l root_vimrcBasically, this script wraps the command to copy root‘s .vimrc file and the ls command.
Not surprisingly, if we run this script directly as the kent user, it’ll fail since only the user root can access the /root/.vimrc file.
Also, if we execute it with sudo, we will be asked for the password.
Next, we’ll address how to execute this script as the superuser using the sudo command without asking for a password.
3.2. Changing the sudo Command’s Configuration
We can configure the sudo command to give all users or specified users access to a particular program without asking for passwords.
To edit the sudo command’s configuration, we can either execute the visudo command or edit the file /etc/sudoers. Both of them require root permission to save the changes.
Now, let’s come back to our example. Our goal is to allow the kent user to run the “sudo ./cpvimrc.sh” command in a non-interactive mode.
To achieve that, we can add one line to the sudo command’s configuration:
kent ALL=(root) NOPASSWD: /tmp/test/cpvimrc.sh
This line tells sudo: When the user kent executes the script /tmp/test/cpvimrc.sh with sudo, the sudo command will run the script as root without asking for a password.
Next, let’s save the change and test if it works as we expected:
kent$ sudo ./cpvimrc.sh
Copy root's .vimrc as root_vimrc.
File copied:
-rw------- 1 root root 19768 Oct 24 22:59 root_vimrc
As we’ve seen in the output, this time, sudo didn’t prompt for the password and copied the file directly. Further, we haven’t leaked the password anywhere.
However, this privilege is only assigned to the user kent. Therefore, if we execute the same script as another regular user, we have to provide the correct password:
guest$ sudo ./cpvimrc.sh
[sudo] password for guest:
Copy root's .vimrc as root_vimrc.
File copied:
-rw------- 1 root root 19768 Oct 24 23:05 root_vimrcThe example above shows that when we log in as the user guest and start the script with sudo, we must type the password.
3.3. Allow All Users to Execute a Program as root Without Asking for Passwords
Sometimes, we would like to allow all users with sudo privilege to run a program as root without asking for passwords.
To achieve that, we can add a pretty similar line into the sudo command’s configuration:
ALL ALL=(root) NOPASSWD: /tmp/test/cpvimrc.sh
Now, all users with sudo privilege can run the script /tmp/test/cpvimrc.sh as the superuser without providing passwords.
Next, let’s save the change and do a test:
kent$ sudo ./cpvimrc.sh
Copy root's .vimrc as root_vimrc.
File copied:
-rw------- 1 root root 19768 Oct 24 23:18 root_vimrc
guest$ sudo ./cpvimrc.sh
Copy root's .vimrc as root_vimrc.
File copied:
-rw------- 1 root root 19768 Oct 24 23:19 root_vimrc
The output above shows that both guest and kent can execute the script as root without being prompted for passwords.
4. Conclusion
By default, when we start a program with the sudo command, it’ll ask for the current user’s password. However, sometimes, we would like to execute some commands with sudo in a non-interactive mode.
In this article, first, we’ve shown an approach of passing the password as a parameter to the sudo command with the -S option. Although it works straightforwardly, it may create security concerns.
Then, we’ve addressed how to achieve it by editing the sudo command’s configuration to give users access to a particular program without asking for passwords.