Feature Request: Native GUI Password Prompt for Sudo Commands

Resolved 💬 4 comments Opened Jan 15, 2026 by LGS-SwissIT Closed Jan 15, 2026

Feature Request: Native GUI Password Prompt for Sudo Commands

Summary

Add native support for secure GUI-based sudo authentication in Claude Code on Linux (and extend to macOS/Windows), allowing the AI to execute privileged commands while keeping passwords secure through user-interactive authentication.

Problem

Currently, Claude Code cannot execute sudo commands because:

  1. There's no TTY for interactive password input
  2. Passing passwords through the AI would be a security risk
  3. Users must manually run privileged commands outside Claude Code

This breaks workflow continuity, especially for system administration tasks like:

  • Security auditing (reading /etc/shadow, checking firewall rules)
  • Package management (dnf, apt)
  • Service management (systemctl)
  • System configuration

Proposed Solution

Implement a native GUI password prompt that:

  1. Intercepts commands requiring sudo
  2. Displays a secure password dialog (zenity/kdialog on Linux, osascript on macOS)
  3. Passes the password directly to sudo -S via stdin
  4. Never exposes the password to the AI model

Architecture

Claude Code (AI) → detects sudo needed → triggers GUI prompt
                                              ↓
User enters password in native dialog ──────────┐
                                                 ↓
Password passed directly to sudo -S ←───────────┘
                                                 ↓
Command executes with root privileges
                                                 ↓
Output returned to Claude Code (AI)

Current Workaround

I've implemented a working workaround using a shell script wrapper:

Script: ~/.claude/scripts/sudo-prompt.sh

#!/usr/bin/env bash
set -euo pipefail

if [[ $# -eq 0 ]]; then
    echo "Usage: $0 <command> [args...]" >&2
    exit 1
fi

# Detect available dialog tool
get_dialog_tool() {
    if command -v zenity &>/dev/null; then
        echo "zenity"
    elif command -v kdialog &>/dev/null; then
        echo "kdialog"
    else
        echo ""
    fi
}

prompt_password() {
    local tool="$1"
    local cmd_display="$2"

    case "$tool" in
        zenity)
            zenity --password \
                --title="Authentication Required" \
                --text="Enter password to run:\n<b>$cmd_display</b>" \
                2>/dev/null
            ;;
        kdialog)
            kdialog --password "Enter password to run:\n$cmd_display" \
                --title "Authentication Required" \
                2>/dev/null
            ;;
    esac
}

main() {
    local dialog_tool
    dialog_tool=$(get_dialog_tool)

    if [[ -z "$dialog_tool" ]]; then
        echo "Error: No GUI dialog tool found (zenity or kdialog required)" >&2
        exit 1
    fi

    local cmd_display="$*"
    if [[ ${#cmd_display} -gt 80 ]]; then
        cmd_display="${cmd_display:0:77}..."
    fi

    local password
    password=$(prompt_password "$dialog_tool" "$cmd_display") || exit 1

    if [[ -z "$password" ]]; then
        echo "Error: Empty password provided" >&2
        exit 1
    fi

    echo "$password" | sudo -S -p '' "$@"
}

main "$@"

Configuration: ~/.claude/settings.json

{
  "permissions": {
    "allow": [
      "Bash(~/.claude/scripts/sudo-prompt.sh:*)"
    ]
  }
}

Configuration: ~/.claude/CLAUDE.md

## Sudo Commands

When a command requires `sudo`, use the secure GUI password prompt:

\`\`\`bash
~/.claude/scripts/sudo-prompt.sh <command> [args...]
\`\`\`

Benefits of Native Implementation

  1. Security: Password never touches the AI model
  2. UX: Seamless workflow - no context switching
  3. Audit: Can log all privileged command attempts
  4. Cross-platform: Can use native dialogs per OS
  5. Configurable: Users can enable/disable per project

Platform-Specific Implementations

| Platform | Dialog Tool | Notes |
|----------|-------------|-------|
| Linux (GTK) | zenity | Most common on GNOME |
| Linux (Qt) | kdialog | KDE Plasma |
| macOS | osascript | Native AppleScript dialog |
| Windows | PowerShell | Get-Credential or similar |

Security Considerations

  • Password should be passed via stdin, never command-line arguments
  • Clear password from memory immediately after use
  • Optional: Integrate with system keyring for temporary caching
  • Optional: Require user opt-in via settings
  • Log sudo attempts for audit (without passwords)

Related

  • This is similar to how IDEs like VS Code handle sudo operations
  • macOS already has precedent with osascript for secure prompts

Environment

  • Claude Code version: Latest
  • OS: Fedora Linux 43
  • Shell: Bash

---

This feature request includes a working implementation that can serve as a reference for native integration.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗