Sudo confirmation prompt












0















I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo







share|improve this question























  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22
















0















I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo







share|improve this question























  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22














0












0








0








I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo







share|improve this question














I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo




linux sudo






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 11 at 15:18









Nicolas GoyNicolas Goy

186




186













  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22



















  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22

















I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

– Nicolas Goy
Jan 12 at 1:22





I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

– Nicolas Goy
Jan 12 at 1:22










2 Answers
2






active

oldest

votes


















1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06



















0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393201%2fsudo-confirmation-prompt%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06
















1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06














1












1








1







It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer













It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 11 at 16:08









Kamil MaciorowskiKamil Maciorowski

27.6k156083




27.6k156083













  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06



















  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06

















Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

– Nicolas Goy
Jan 12 at 1:21





Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

– Nicolas Goy
Jan 12 at 1:21













@NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

– Kamil Maciorowski
Jan 12 at 1:28





@NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

– Kamil Maciorowski
Jan 12 at 1:28













Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

– Nicolas Goy
Jan 12 at 2:06





Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

– Nicolas Goy
Jan 12 at 2:06













0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26
















0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26














0












0








0







This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer













This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 11 at 15:32









WolfmadeWolfmade

1




1













  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26



















  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26

















Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

– bertieb
Jan 11 at 16:26





Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

– bertieb
Jan 11 at 16:26


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393201%2fsudo-confirmation-prompt%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

If I really need a card on my start hand, how many mulligans make sense? [duplicate]

Image
5 This question already has an answer here: How do you calculate the likelihood of drawing certain cards in your opening hand? 3 answers There is a funny modern deck where you play Treasure Hunt, but you really need to have it on the starting hand. How many mulligans should I take, if my deck contains 60 cards and contains 4 copies of Treasure Hunt? magic-the-gathering probability share | improve this question asked Nov 23 '18 at 12:12 dan dan 152 4
Read more

Alcedinidae

Image
Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
Read more

Can an atomic nucleus contain both particles and antiparticles? [duplicate]

Image
9 $begingroup$ This question already has an answer here: What happens if we put together a proton and an antineutron? 2 answers Is it theoretically possible to make a "deuterium" atom containing a proton and an antineutron in its nucleus? Would the strong nuclear force cause attraction between a proton and an antineutron? Would such a nucleus be stable, or would the proton somehow annihilate the antineutron when close enough? nuclear-physics antimatter share | cite | improve this question asked yesterday
Read more