Sudo confirmation prompt












0















I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)










share|improve this question























  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22
















0















I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)










share|improve this question























  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22














0












0








0








I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)










share|improve this question














I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)







linux sudo






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 11 at 15:18









Nicolas GoyNicolas Goy

186




186













  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22



















  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22

















I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

– Nicolas Goy
Jan 12 at 1:22





I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

– Nicolas Goy
Jan 12 at 1:22










2 Answers
2






active

oldest

votes


















1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06



















0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393201%2fsudo-confirmation-prompt%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06
















1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06














1












1








1







It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer













It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 11 at 16:08









Kamil MaciorowskiKamil Maciorowski

27.6k156083




27.6k156083













  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06



















  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06

















Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

– Nicolas Goy
Jan 12 at 1:21





Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

– Nicolas Goy
Jan 12 at 1:21













@NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

– Kamil Maciorowski
Jan 12 at 1:28





@NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

– Kamil Maciorowski
Jan 12 at 1:28













Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

– Nicolas Goy
Jan 12 at 2:06





Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

– Nicolas Goy
Jan 12 at 2:06













0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26
















0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26














0












0








0







This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer













This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 11 at 15:32









WolfmadeWolfmade

1




1













  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26



















  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26

















Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

– bertieb
Jan 11 at 16:26





Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

– bertieb
Jan 11 at 16:26


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393201%2fsudo-confirmation-prompt%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?