Shell脚本无需以sudo身份运行即可获得超级用户权限
[英]Shell script getting superuser privilege without being run as sudo
问题描述
Here is my script:
这是我的脚本:
script.sh :脚本.sh :
sudo cat /etc/passwd-
If I am in a sudo session (eg I ran an other command with sudo a few minutes ago), and now run如果我在sudo会话中(例如,几分钟前我用sudo运行了另一个命令),现在运行
script.sh
The script will get sudo access.该脚本将获得sudo访问权限。 However if I run cat /etc/passwd-/ , I will get a permission denied error.但是,如果我运行cat /etc/passwd-/ ,则会收到权限被拒绝错误。
As a user, I wouldn't expect script.sh to be able to get super user privileges so simply (eg without me giving access to superuser privileges with sudo script.sh ).作为用户,我不希望 script.sh 能够如此简单地获得超级用户权限(例如,我没有通过sudo script.sh授予超级用户权限)。
Is this expected behavior ?这是预期的行为吗? Is it configurable ?是否可配置?
I see that behavior as being completely similar to sudo su , e,g potentially giving superuser access to any script you run in that session, but even worse, because you might not even be aware of it, and don't know when it ends (at least not without checking manually)我认为这种行为与sudo su完全相似,例如可能允许超级用户访问您在该会话中运行的任何脚本,但更糟糕的是,因为您甚至可能不知道它,也不知道它何时结束(至少不是没有手动检查)
1 个解决方案
解决方案1
4 已采纳 2015-05-29 16:35:55
Is this expected behaviour ?
Yes, indeed, it is expected behavior.是的,确实,这是预期的行为。 User's cached credential for sudo is responsible for it.用户的 sudo 缓存凭据对此负责。
Is it configurable?
Yes, it is configurable.是的,它是可配置的。
And I think your security concern is a valid one.我认为您的安全担忧是有效的。 Running script.sh in a terminal where a sudo command is run before (within a certain timeout), will give the script superuser privilege if the script is written with explicit sudo commands.如果脚本是使用显式sudo命令编写的,则在之前运行sudo命令的终端中运行script.sh (在特定超时内)将授予脚本超级用户权限。
You can avoid any script not prompting for a password when run as sudo by running it with:您可以通过运行以下命令来避免在以 sudo 身份运行时不提示输入密码的任何脚本:
sudo -k script.sh
It will ask for a password regardless of any previous sudo command/s or session.无论之前是否有任何 sudo 命令或会话,它都会要求输入密码。
And to run script.sh without sudo ie with just
script.shand still prompt for a password for the sudo command/s:script.sh并仍然提示输入 sudo 命令的密码:
You can change the timeout value (the duration sudo maintains the session) permanently:您可以永久更改超时值(sudo 维护会话的持续时间):
run sudo visudo运行sudo visudo
Then change the line:然后换行:
Defaults env_reset
To到
Defaults env_reset,timestamp_timeout=0
Save and exit (ctrl+X then Y)保存并退出(ctrl+X 然后是 Y)
This will ensure that sudo asks for a password every time it is run.这将确保 sudo 每次运行时都要求输入密码。
Or If you don't want to change it permanently and want your script to prompt for password at least once (while maintaining a session), then you can change your script like this:或者,如果您不想永久更改它并希望您的脚本至少提示输入一次密码(同时保持会话),那么您可以像这样更改您的脚本:
sudo -k first-command-with-sudo
sudo second-command
sudo third
and so on
This script will prompt for password at least once regardless of any previous sudo command/s or session.无论之前是否有任何 sudo 命令或会话,此脚本将至少提示输入一次密码。
In case you are unaware of (or don't have access to) the content of the script script.sh (it can have sudo commands inside it or not)如果您不知道(或无法访问)脚本 script.sh 的内容(它可以包含或不包含 sudo 命令)
And you want to be sure that any sudo command will surely prompt for password at least once, then run sudo -K (capital K) before running the script.并且您要确保任何 sudo 命令肯定会提示输入密码至少一次,然后在运行脚本之前运行sudo -K (大写 K)。
Now if you run script.sh and if it contains a sudo command, it will surely prompt for password.现在如果你运行script.sh并且它包含一个 sudo 命令,它肯定会提示输入密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.