At work I maintain a bundle of bash scripts which help us automate the formatting and writing of hard drives for Digital Cinema Packages (DCPs). When I inherited this small codebase, I found that the formatting script in particular seemed dangerous - you'd be asked which USB drives to format and then it would open a new Terminal window as root and go to town on /dev/sd?. If you canceled the operation with ctrl+c, you'd be left at a root prompt with full access. So I did my best to rewrite things from the perspective of least privilege needed for each task. By taking advantage of credential caching for sudo, I could ask the user for a password once at the top of the script and then run $ sudo gnome-terminal
to launch the new window and run disk commands without needing to repeat the password input, and also not run directly as root.
When I started, we were running Ubuntu 20.04 and were still using X11 instead of Wayland, so I could do this without issue and add some code to 'su' the shell back to a regular command prompt if something went wrong. Recently I started putting together a new Ubuntu 24.04 installation on a newer Mac Mini, and found that $ sudo gnome-terminal
was now failing due to a missing 'dbus-launch' command. Some research showed that this was most likely down to this new install using Wayland instead of X11, and apparently launching a new Terminal using sudo or running it as root was intentionally taken out.
I could still run 'gnome-terminal' without sudo to open the new window, but then I'd always be asked the password a second time. Eventually a helpful soul on stackexchange led me to a great solution: the /etc/sudoers file has a 'timestamp_type' option which controls whether the credential caching applies to individual login windows or processes, with each new one requiring re-authentication, or whether the caching works globally per user and applies to any Terminal or process opened by that user. Using 'visudo', I added Defaults timestamp_type=global
to the sudoers file and then $ exec $SHELL
afterwards to make sure all the options were reloaded (which may or may not have actually been necessary.) Et voilà, I could run a test command with sudo, enter my password, then run gnome-terminal for a new window and see that a second sudo command successfully reused my now globally-cached password.