Following the principle of least privilege, run as little as you can as root. Therefore, sudo from within the script.
Note that the first time there is a command that needs sudo, you may be prompted. (That won't be true if you applicably use NOPASSWD in /etc/sudoers which is a technique that many people will shun as also being insecure.) However, when you run sudo and provide a password, sudo will remember the success for a period of time. By default that period of time is five minutes. So if you ran "sudo echo hi", typed in your password, and then ran the script soon after that, then there would be no need for you to be prompted for a password when you run the script. More realistically, if you just run the script, you will likely just be asked to sudo once... presuming that you script takes less than give minutes to complete the remaining tasks.
I might not worry about a few echo
commands, but if there is significant content that can be done without extra permissions, then, for the sake of security, I generally like to maximize how much is done with minimal elevation.
As an example of minimizing permissions, let me show you another sample scenario. Instead of:
sudo -c "sample-command >> /var/log/output.txt"
I like to use:
sample-command | sudo tee -a /var/log/output.txt >> /dev/null
By doing this, the entire command runs without sudo, and the only part that ends up having enhanced permissions is the part that needs enhanced permissions, which is the part that writes to the file.
Clearly, my goal here is to minimize how much is done elevated. Similarly, if your entire script doesn't require elevation, the preferred approach (from a security perspective) is to minimize how much is done elevated.
Welcome, 10k ;-) – Arjan – 2018-01-19T07:57:09.357
@TOOGAM Could you do the same thing without using tee like this instead?
sample-command | sudo cat >> /var/log/output.txt
Or is there a difference? – ADJenks – 2018-09-24T02:14:13.110Hmm, I see, cat does not work... – ADJenks – 2018-09-24T02:25:44.317
@adjenks : right. In your example, the shell realizes there is a pipe and a redirection. sample-command runs at the same time as the second thing it runs, which is "sudo cat" (the part between the pipe and the >>). Then the output of that will get redirected using the initial user account that ran the command. To handle this situation, you can place the >> inside quotes that cause >> to just be part of a single argument, as shown in the answer (where I mentioned sudo -c), or, better yet, become practiced with using tee as described by my answer. – TOOGAM – 2018-11-17T02:26:51.363