Feature suggestion: built-in sudo watcher for privileged operations

Resolved 💬 5 comments Opened Feb 27, 2026 by glutamatt Closed Mar 30, 2026

Problem

Claude Code frequently needs root privileges (writing to sysfs, systemctl, modprobe, apt install, editing system configs, etc.) but has no built-in mechanism for elevated execution. Users either have to run Claude Code itself as root (bad practice) or manually prefix commands and approve each one.

Solution: file-based sudo watcher

A simple pattern that works well in practice:

  1. User starts a watcher loop in a spare terminal: sudo-claude-loop
  2. The watcher polls for a command file and executes it as root
  3. Claude writes commands to that file, waits for consumption, reads the output
  4. The watcher executes as root, captures output, deletes the command file

This is ~30 lines of bash. It keeps privilege escalation explicit (user starts the watcher, sees every command executed in their terminal), while letting Claude chain root operations without per-command approval.

Security considerations

The exchange directory must not be world-writable. Mitigations:

  • Use ~/.claude/sudo/ with 0700 permissions instead of /tmp — only your user can write to it
  • Validate file ownership/UID before the watcher executes anything
  • Use mktemp -d with restrictive permissions for the exchange directory
  • The watcher terminal displays every command as it runs — you see what's being executed

This is a quick-and-dirty pattern for single-user dev workstations to avoid constantly copy-pasting privileged commands. It is not a production security model.

Why it's useful broadly

  • System administration: service management, package installs, config edits
  • Hardware/embedded work: sysfs writes, kernel module loading, device access
  • Docker without rootless: container management
  • Development: anything touching /usr/local/bin, /etc, systemd units

Current implementation

I've been using this as a Claude Code skill (~/.claude/skills/sudo-watcher/). The skill teaches Claude when and how to use the watcher, including checking if it's running and prompting the user to start it. Happy to share the full implementation if useful.

The self-elevating script pattern (exec sudo "$0" if not root) means users just run one command with no setup beyond having the script in PATH.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗