Usage of sudo in a shell script

Question

When executing a shell script, how does sudo come into play in the following?

# script.sh
ls /root
sudo ls /root

Now, if I run $ sudo ./script.sh or $ ./script.sh what will be the difference? For example:

1. Do all commands that are run with sudo ./script.sh automatically prepend a "sudo" to that command?
2. Is the sudo ls /root line vlid? Or should the line instead of ls /root and require root invocation?

Basically, I'm trying to figure out the difference in a line-item being run as sudo, or the script itself being run as sudo.

Answer 1

If you have a script that requires elevated privileges for certain commands, one way to handle those commands is with sudo. Before using sudo, there are several considerations for configuring its use. For instance, if you have certain users you want to be able to run commands with sudo and further to run sudo without being prompted for a password, you need a bit of configuration first. sudo is configured through the visudo utility. For most uses of sudo you will simply need to uncomment options at the end of the file. However to allow users to run sudo without a password, you will also need to add those users to the wheel group (some distros now use a sudo group -- check). After adding users to the wheel group, to allow them to use sudo without a password, you would run visudo and uncomment the following line:

## Same thing without a password
%wheel ALL=(ALL) NOPASSWD: ALL

With sudo configured, then within a script, if elevated (root) privileges are needed you simply need to check whether the user UID (and/or EUID) are equal to zero indicating the user is root, if not, then you use sudo to run the command. You can structure the test in the negative or in the positive to fit your taste, e.g.

if [ "$UID" -eq 0 -o "$EUID" -eq 0 ]; then
    command
else
    sudo command
fi

or

if [ "$UID" -ne 0 -a "$EUID" -ne 0 ]; then
    sudo command
else
    command
fi

If your command is not a simple command, but instead contains redirections or pipelines, then you must run the entire command with sudo not just the first command in the list. To do so, just use sudo bash -c "your long command" to ensure elevated privileges are available to each part of a compound command that needs it. For example if you attempt:

sudo cat /etc/sudoers > sudoersbackup

The command will fail. While cat has the elevated privileges to read the file the > redirection is run as the regular user and will fail due to lack of permission. To handle that circumstance, you can do:

sudo bash -c "cat /etc/sudoers > sudoersbackup"

That ensures elevated privileges are available to the entire command.