Storing sudo password as variable in script - is it safe?

Is storing my password this way safe?

echo 'Write sudo password (will not be displayed) and hit enter'
read -s password

I need it开发者_如何学运维 to make commands like this:

echo $password | sudo -S apt-get install -y foo bar

---

No because you can see it via /proc/$PID/cmdline.

I suggest not to try to reinvent security tools. The sudo program can cache your password.

---

A better approach would be to edit your sudoers file and add your program that don't require password...

Do a sudo visudo and add following to enable your admin group to run apt-get w/o password: %admin ALL = NOPASSWD: /usr/bin/apt-get

See sudoers man page for more detail.

---

echo $password | sudo -S apt-get install -y foo bar 

This is a bit dangerous. If the user is already authenticated to sudo, sudo won't request the password again and it will be forwarded to apt-get, with could lead to strange results (for example, if the postinstall script asks a question). I would suggest to use

sudo -k                         # remove previous sudo timestamp
echo $password | sudo -v -S     # create a new one for 15 minutes
sudo apt-get ...                # execute the command

instead.

EDIT: Dirk is correct about the password being visible for a very short time while echo is executed. Please see my answer as an extended comment rather than an answer to your question.

---

sudo is open source, so you can compile your own version which takes the password as a command line parameter.