Feature Request: Native GUI Password Prompt for Sudo Commands
Feature Request: Native GUI Password Prompt for Sudo Commands
Summary
Add native support for secure GUI-based sudo authentication in Claude Code on Linux (and extend to macOS/Windows), allowing the AI to execute privileged commands while keeping passwords secure through user-interactive authentication.
Problem
Currently, Claude Code cannot execute sudo commands because:
- There's no TTY for interactive password input
- Passing passwords through the AI would be a security risk
- Users must manually run privileged commands outside Claude Code
This breaks workflow continuity, especially for system administration tasks like:
- Security auditing (reading
/etc/shadow, checking firewall rules) - Package management (
dnf,apt) - Service management (
systemctl) - System configuration
Proposed Solution
Implement a native GUI password prompt that:
- Intercepts commands requiring
sudo - Displays a secure password dialog (zenity/kdialog on Linux, osascript on macOS)
- Passes the password directly to
sudo -Svia stdin - Never exposes the password to the AI model
Architecture
Claude Code (AI) → detects sudo needed → triggers GUI prompt
↓
User enters password in native dialog ──────────┐
↓
Password passed directly to sudo -S ←───────────┘
↓
Command executes with root privileges
↓
Output returned to Claude Code (AI)
Current Workaround
I've implemented a working workaround using a shell script wrapper:
Script: ~/.claude/scripts/sudo-prompt.sh
#!/usr/bin/env bash
set -euo pipefail
if [[ $# -eq 0 ]]; then
echo "Usage: $0 <command> [args...]" >&2
exit 1
fi
# Detect available dialog tool
get_dialog_tool() {
if command -v zenity &>/dev/null; then
echo "zenity"
elif command -v kdialog &>/dev/null; then
echo "kdialog"
else
echo ""
fi
}
prompt_password() {
local tool="$1"
local cmd_display="$2"
case "$tool" in
zenity)
zenity --password \
--title="Authentication Required" \
--text="Enter password to run:\n<b>$cmd_display</b>" \
2>/dev/null
;;
kdialog)
kdialog --password "Enter password to run:\n$cmd_display" \
--title "Authentication Required" \
2>/dev/null
;;
esac
}
main() {
local dialog_tool
dialog_tool=$(get_dialog_tool)
if [[ -z "$dialog_tool" ]]; then
echo "Error: No GUI dialog tool found (zenity or kdialog required)" >&2
exit 1
fi
local cmd_display="$*"
if [[ ${#cmd_display} -gt 80 ]]; then
cmd_display="${cmd_display:0:77}..."
fi
local password
password=$(prompt_password "$dialog_tool" "$cmd_display") || exit 1
if [[ -z "$password" ]]; then
echo "Error: Empty password provided" >&2
exit 1
fi
echo "$password" | sudo -S -p '' "$@"
}
main "$@"
Configuration: ~/.claude/settings.json
{
"permissions": {
"allow": [
"Bash(~/.claude/scripts/sudo-prompt.sh:*)"
]
}
}
Configuration: ~/.claude/CLAUDE.md
## Sudo Commands
When a command requires `sudo`, use the secure GUI password prompt:
\`\`\`bash
~/.claude/scripts/sudo-prompt.sh <command> [args...]
\`\`\`
Benefits of Native Implementation
- Security: Password never touches the AI model
- UX: Seamless workflow - no context switching
- Audit: Can log all privileged command attempts
- Cross-platform: Can use native dialogs per OS
- Configurable: Users can enable/disable per project
Platform-Specific Implementations
| Platform | Dialog Tool | Notes |
|----------|-------------|-------|
| Linux (GTK) | zenity | Most common on GNOME |
| Linux (Qt) | kdialog | KDE Plasma |
| macOS | osascript | Native AppleScript dialog |
| Windows | PowerShell | Get-Credential or similar |
Security Considerations
- Password should be passed via stdin, never command-line arguments
- Clear password from memory immediately after use
- Optional: Integrate with system keyring for temporary caching
- Optional: Require user opt-in via settings
- Log sudo attempts for audit (without passwords)
Related
- This is similar to how IDEs like VS Code handle sudo operations
- macOS already has precedent with
osascriptfor secure prompts
Environment
- Claude Code version: Latest
- OS: Fedora Linux 43
- Shell: Bash
---
This feature request includes a working implementation that can serve as a reference for native integration.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗