Sudo confirmation prompt












0















I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo







share|improve this question























  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22
















0















I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo







share|improve this question























  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22














0












0








0








I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo







share|improve this question














I use sudo on my linux workstation, and it is configured to request a password each time.



But typing the password every time is cumbersome and also a bit dangerous if I don't have the focus to the right window.



I'd like to configure sudo to have the following behaviour:




  • If headless (no X11), request full password

  • If X11 is available prompt for confirmation, the confirmation should be a gui window with an allow and deny button and some simple input (like type yes to confirm, to prevent hitting enter accidentally)






linux sudo




linux sudo






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 11 at 15:18









Nicolas GoyNicolas Goy

186




186













  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22



















  • I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

    – Nicolas Goy
    Jan 12 at 1:22

















I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

– Nicolas Goy
Jan 12 at 1:22





I did not mention it, but if you have an idea that use some hardware (like fingerprint reader), that would work too. In the end I just want to grant sudo rapidly.

– Nicolas Goy
Jan 12 at 1:22










2 Answers
2






active

oldest

votes


















1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06



















0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393201%2fsudo-confirmation-prompt%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06
















1














It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer
























  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06














1












1








1







It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.






share|improve this answer













It's technically possible with sudo -A. From man 8 sudo:




-A

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program. […]




Your solution may look like this:





  1. Write a helper script. The script should check if X11 is available.




    • If it is, the script should display a window you desire. If you allow, the script will read your password from a file and print to standard output (cat file may be enough).

    • If X11 is not available, the script should use stdin (e.g. read -rs in Bash) to get the password from you; then print it to standard output.




    Securing the file (so nobody else can read it) and the script (so nobody else can change it) is your concern now.



  2. Set SUDO_ASKPASS="/path/to/your/helper/script" and export it.


  3. Define an alias alias sudo='sudo -A'.


Note the answer only states this is technically possible. It doesn't say this is secure or recommended.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 11 at 16:08









Kamil MaciorowskiKamil Maciorowski

27.6k156083




27.6k156083













  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06



















  • Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

    – Nicolas Goy
    Jan 12 at 1:21











  • @NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

    – Kamil Maciorowski
    Jan 12 at 1:28











  • Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

    – Nicolas Goy
    Jan 12 at 2:06

















Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

– Nicolas Goy
Jan 12 at 1:21





Well, the idea is that even my user shouldn't be able to escalate to root without graphical confirmation. With this setup, the password file would be readable by my user.

– Nicolas Goy
Jan 12 at 1:21













@NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

– Kamil Maciorowski
Jan 12 at 1:28





@NicolasGoy I don't follow. You know your password in the first place, so what difference does the readable file make?

– Kamil Maciorowski
Jan 12 at 1:28













Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

– Nicolas Goy
Jan 12 at 2:06





Because if I run a malicious script it could read the file and run as root without me knowing. But well, that's very unlikely as it would have to know in which file I store my password. I'm against security through obscurity, but I guess it wouldn't be a problem in this case.

– Nicolas Goy
Jan 12 at 2:06













0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26
















0














This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer
























  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26














0












0








0







This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe






share|improve this answer













This is generally more dangerous as this makes local privilege escalation very easy. Perhaps you can achieve close to intended results by compiling polkit with a timeout which suits your needs? https://unix.stackexchange.com/questions/409636/pkexec-how-do-i-set-a-custom-timeout-for-auth-admin-keep-when-writting-a-pkexe







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 11 at 15:32









WolfmadeWolfmade

1




1













  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26



















  • Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

    – bertieb
    Jan 11 at 16:26

















Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

– bertieb
Jan 11 at 16:26





Welcome to Super User! Can you edit your answer to include the relevant information from the link, by way of explanation? Thanks

– bertieb
Jan 11 at 16:26


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1393201%2fsudo-confirmation-prompt%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 2 total noob sorry any help greatly appreciated. I keep getting this "Incorrect syntax near the keyword 'ON'." heres my codes code one CREATE TABLE supplier ( supplierID INT PRIMARY KEY, ISBN INT FOREIGN KEY REFERENCES book(ISBN), price DECIMAL (5,2), ON UPDATE CASCADE, ON DELETE CASCADE, ); code two CREATE TABLE orders ( orderID INT PRIMARY KEY, customerID INT FOREIGN KEY REFERENCES customer(customerID), ISBN INT FOREIGN KEY REFERENCES book(ISBN), orderDate date, ON UPDATE CASCADE, ON DELETE CASCADE, ); Ive run out of stuff to try other than dumbing it down to uselessness.
Read more

Alcedinidae

Image
Alcedinidae Martin-pêcheur à dos bleu ( Alcedo azurea ) Classification (COI) Règne Animalia Embranchement Chordata Sous-embr. Vertebrata Classe Aves Ordre Coraciiformes Famille Alcedinidae Rafinesque, 1815 Les Alcédinidés ou Alcedinidae forment une famille d'oiseaux plus connus sous les noms de martins-pêcheurs et martins-chasseurs. Sommaire 1 Description 2 Répartition et habitat 3 Systématique 3.1 Liste alphabétique des genres 3.2 Liste des espèces 4 Chez les Anciens : l'alcyon 4.1 Étymologie (Littré) 4.2 Oiseau « fabuleux » ? 5 Notes 6 Articles connexes 7 Liens externes 7.1 Bibliographie Description | Ce sont des oiseaux compacts de taille petite à moyenne (10 à 46 cm), au bec droit et long, en forme de poignard. Leurs pattes sont courtes, et ils portent un plumage aux couleurs vives. Répartition et habitat | Cosmopolites, ils fréquentent surtout
Read more

RAC Tourist Trophy

Image
Pour les articles homonymes, voir Tourist Trophy. Le RAC Tourist Trophy est une course automobile organisée par le Royal Automobile Club d'Angleterre. Créée en 1905, cette course a fait partie des épreuves comptant pour le championnat du monde des voitures de sport entre 1953 et 1955, en 1958 et 1959, et entre 1962 et 1965. Après une interruption de 17 ans (l'épreuve s'arrête après 1988), le RAC Tourist Trophy reprend en 2005 sous l'égide de la FIA GT. Palmarès | John Napier sur Arrol-Johnston, vainqueur du premier RAC Tourist Trophy, en 1905. L'honorable C.S. Rolls, vainqueur du RAC Tourist Trophy 1906. Ernest Curtis, sur Rover 20 hp, vainqueur du RAC Tourist Trophy 1907. William Watson, vainqueur du RAC Tourist Trophy 1908. Kenelm Lee Guinness, vainqueur du RAC Tourist Trophy 1914 sur Sunbeam. Départ du RAC Tourist Trophy 1928. Louis Gérard, vainqueur du RAC Tourist Trophy 1938 sur Delage. Année Circuit Vainqueur
Read more