假設我有一個commands.sh類似于以下內容的腳本:
command1 # Must be run as root
command2 # Absolutely cannot be run as root
command3 # Should be run as unprivileged user, but can be run as root
...
...
如果我們跑了commands.sh,那么command1就會抱怨。如果我們跑了sudo commands.sh,那么command2就會抱怨。我們可以編輯commands.sh如下,
sudo command1
command2
command3
...
...
即sudo在適當的地方插入 s。使用默認sudo配置(15 分鐘身份驗證持久性),效果很好(假設腳本運行時間少于 15 分鐘)。但是,如果腳本更長,或者我們禁用了身份驗證持久性,那么我覺得沒有明顯的前進方向。此外,某些系統甚至可能不sudo用于身份驗證 - 他們可能會使用doas或其他方式。
是否有任何(POSIX-y?)方法來創建腳本,在開始時進行一次身份驗證,然后在必要時通過腳本持久化該身份驗證,而不使用sudo' 持久性?
uj5u.com熱心網友回復:
一種可能性是要求腳本通過 運行sudo,然后sudo -u在腳本中使用以將不應以 root 身份運行的命令恢復(/demote)到原始用戶。在腳本的開頭包含一些完整性檢查以確保它是從正確的環境中運行的,這可能是一個好主意:
#!/bin/bash
if [[ "$EUID" != 0 ]]; then
# The script is not running as root
echo "This script must be run via sudo (as root)" >&2
exit 1
# Optional: replace exit 1 with:
# exec sudo "$0" "$@" # Re-run this script via sudo
# exit $? # In case the exec fails
elif [[ -z "$SUDO_USER" ]]; then
# The script is running as root, but doesn't have $SUDO_USER
# (the original user who ran sudo) to revert back to for
# unprivileged operations
echo "This script must be run via sudo, not directly as root" >&2
exit 1
elif [[ "$SUDO_USER" = root || "$SUDO_UID" = 0 ]]; then
# The script is running as root via sudo, but $SUDO_USER is
# *also* root, so is not suitable to revert back to for
# unprivileged operations
echo "This script must be run via sudo, from a regular (non-root) account" >&2
exit 1
fi
command1 # Must be run as root
sudo -u "$SUDO_USER" command2 # Absolutely cannot be run as root
sudo -u "$SUDO_USER" command3 # Should be run as unprivileged user, but can be run as root
轉載請註明出處,本文鏈接:https://www.uj5u.com/shujuku/503770.html
上一篇:使用檔案上的字串執行rm并洗掉行
下一篇:如何知道zsh中的字串是否為空?