I am a technician managing 10 Mac Computers. I do not have and MDM to manage them. I manage them manually and one by one... I have some of my Mac Computers that even putting them non Administrator, their managed account comes back to be administrator.
I am at the point where I will write a script to prevent them from falling administrator.
This is my script :
PASSWORD=$(echo U2FsdGVkX1+6JWRG1T9hsA/DIOfb2OZdXBf9uVcYTxY= | openssl enc -aes-128-cbc -a -d -salt -pass pass:wtf)
echo $PASSWORD | sudo -u administrateur adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
for user in $adminUsers
do
if [ "$user" != "root" ] && [ "$user" != "administrateur" ]
then
dseditgroup -o edit -d $user -t user admin
if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
else
echo "Admin user $user left alone"
fi
done
The encryption command works but my second command(line 2) can't take my variable $PASSWORD, I have this :
sudo: administrateur: command not found
The script get stuck at "administrateur" from line 2.
There are several problems with the line
echo $PASSWORD | sudo -u administrateur adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
First, $PASSWORD isn't in double-quotes, so several special characters might cause trouble. Actually, echo has its own problems with special characters, so printf '%s\n' "$PASSWORD" would be much more reliable.
Except that sudo doesn't accept passwords over standard input, so the pipe won't work anyway.
Also, you can't do a variable assignment in a sudo command. Well, you can, but it's useless because it would make a subprocess as the other user, set the variable in that subprocess... and then exit the subprocess so the variable vanishes along with it.
And the order of evaluation is all wrong. The shell expands the $( ) part before running any of the commands (and as the current user). So it expands to something like:
echo pwgoeshere | sudo -u administrateur adminUsers=root administrateur
... which will tell sudo to run the command administrateur with the variable adminUsers set to "root". Not what you want at all.
But there's good news: dscl can read the group membership from any user account, so you don't need sudo or any of that. Just use:
adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c 18-)
On the other hand, dseditgroup does need special access to change group membership. What user is this script running as? If it's already running as root, it'll just work. If not, you could use sudo (with the complications of passing the password to that), or much simpler pass the admin credentials as arguments, with the -u and `-P options:
dseditgroup -o edit -u administrateur -P "$PASSWORD" -d "$user" -t user admin
Two more suggestions: use lowercase variable names (e.g. password instead of PASSWORD) to avoid conflicts with the various the various all-caps names with special meanings, and run your scripts through shellcheck.net and correct the things it points out.
Related
How do I pass my password to sudo from an environment variable through stdin without the sudo prompt appearing?
I have tried $ echo $PASSWORD | sudo -S echo foo but that returns [sudo] password for mithic: foo.
Using the -n flag just always returns sudo: a password is required (unless I have recently inputted the correct password).
You can set an empty password prompt:
printf '%s\n' "$PASSWORD" | sudo -p "" -S echo foo
If it's really in the environment, I would recommend using the -A option instead of -S. Write a very small script that writes the value to standard output.
#!/bin/sh
printf '%s' "$PASSWORD"
Call it something like asker and make it executable
chmod +x asker
The do the following:
SUDO_ASKPASS=./asker sudo -A echo foo
-A makes sudo run the executable named by SUDO_ASKPASS and read the password from its output.
I'm trying to do an script that will add users by a file, the commands works but create a user with unknown password, so I've removed the password but when he logs, he doesn't log in the terminal that he should, like
user#machine:~$ he just log in $, that is a old bash interface, my code is:
#!/bin/bash
for i in $(cat users) #file with the users
do
useradd $i -g redes2016 -m #creating users in group redes2016 with a home directory
passwd -d $i #deleting user password
chage -d 0 $i #forcing him to change he password at next login (doesn't work)
done
I have following postgres backup script, its a shell script and written to run ans postgres user.
But the problem is postgres user doesn't have permission to write these directories. I as a user don't have sudo on these machines but I have changed the directory to has 755 and added to one of the group that has major permission to do read-write-execute. Since postgres user isn't part of the unix user group I guess I am running into this issue.
My goal is to put this in the cron-tab but prior to that I need to get the script running with proper permission:
#!/bin/bash
# location to store backups
backup_dir="/location/to/dir"
# name of the backup file has the date
backup_date=`date +%d-%m-%Y`
# only keep the backup for 30 days (maintain low storage)
number_of_days=30
databases=`psql -l -t | cut -d'|' -f1 | sed -e 's/ //g' -e '/^$/d'`
for i in $databases; do
if [ "$i" != "template0" ] && [ "$i" != "template1" ]; then
echo Dumping $i to $backup_dir$i\_$backup_date
pg_dump -Fc $i > $backup_dir$i\_$backup_date
fi
done
find $backup_dir -type f -prune -mtime +$number_of_days -exec rm -f {} \;
Before doing this be sure to login as a super user (sudo su) and try executing these:
useradd -G unix postgres (Add postgres user to unix group)
su postgres (Login as postgres user)
mkdir folder (Go to the directory where postgres needs to write files)
***From this line down is my answer to #find-missing-semicolon question
Just to illustrate an example with a shell script, you can capture the password using the read command and put it to a variable. Here I stored the password in password and echoed it afterwards. I hope this helps.
`#!/bin/bash`
`read -s -p "Password: " password`
`echo $password`
i have a problem with my bash script. I read line by line the variable lvm_path_exec, that works. I confirmed it with echo "lvmpath".
But as soon as i place a sshpass command into the while statement the script only process the first line which got grepped.
If there is no sshpass command all lines of lvmpath_exec get processed.
Do you see the error?
lvmpath_exec=$(sshpass -p "${password[$i]}" ssh ${user[$i]}#${ip[$i]} -p ${port[$i]} lvdisplay | grep datatest -A 3 | grep Path | awk '{ print $3 }')
echo "$lvmpath_exec" | while read lvmpath
do
lvmname=datatest
snap=_snapshot
snapname=$lvmname$snap
lvcreate=$(sshpass -p "${password[$i]}" ssh ${user[$i]}#${ip[$i]} -p ${port[$i]} lvcreate -L20G -s -n $snapname $lvmpath)
snap_path=$(sshpass -p "${password[$i]}" ssh ${user[$i]}#${ip[$i]} -p ${port[$i]} lvdisplay | grep $snapname -A 3 | grep Path | awk '{ print $3 }')
transfer=$(sshpass -p "${password[$i]}" ssh ${user[$i]}#${ip[$i]} -p ${port[$i]} "dd if=$snap_path | gzip -c" > /tmp/$snapname)
delsnap=$(sshpass -p "${password[$i]}" ssh ${user[$i]}#${ip[$i]} -p ${port[$i]} lvremove -f $snap_path)
done
UPDATE
I fixed it:
replace
echo "$lvmpath_exec" | while read lvmpath
with
for lvmpath in $lvmpath_exec
But shouldnt it work with while read too?
sshpass works by manipulating stdin to fool ssh into thinking it is getting the password from an interactive user. When you use a ... | while style loop, the loop iterates for every line coming from stdin, which sshpass wipes out after the first call, that's why only the first line gets executed. The for loop doesn't use stdin, that's why it doesn't have this problem.
As man sshpass explains, this tool is inherently insecure and you should really be using public key authentication instead. Also keep in mind that it has other ways of passing the password, using the -p flag is the least safe method of all, and any other method would be safer, for example the -e flag seems trivially easy. I know you might insist you have a legitimate use case, but this is so important I'm just gonna quote from the man page:
First and foremost, users of sshpass should realize that ssh's insis‐
tance on only getting the password interactively is not without reason.
It is close to impossible to securely store the password, and users of
sshpass should consider whether ssh's public key authentication pro‐
vides the same end-user experience, while involving less hassle and
being more secure.
The -p option should be considered the least secure of all of sshpass's
options. All system users can see the password in the command line
with a simple "ps" command. Sshpass makes a minimal attempt to hide the
password, but such attempts are doomed to create race conditions with‐
out actually solving the problem. Users of sshpass are encouraged to
use one of the other password passing techniques, which are all more
secure.
have you tried this..have not tried though
export SSHPASS=password[$i]
sshpass -e ssh -oBatchMode=no user[$i]#{ip[$i]} ..
I'm trying to write a bash script that runs a mysqldump command that uses the -p flag. This flag prompts the user for a password, which works as expected when run in the shell directly, but does not appear when run in a script.
#!/usr/bin/env
ssh user#domain.com 'mysqldump -u mysqluser -p --databases foo | bzip2' > ~/temp/foo-dump.sql.bz2
Now I could embed the password in the script or pass it as an arguments, but I really want the script to prompt the user for the password so the password doesn't show up in my scripts repo or in my bash history.
Anyone have any idea on how to accomplish this?
This should do the trick:
read -p "mysql password: " PASS && ssh user#domain.com 'mysqldump -u mysqluser -p'$PASS' --databases foo | bzip2' > foo-dump.sql.bz2 ; PASS=""
In this case, you will first enter the mysql password, and then be prompted for the ssh password. Note that the mysql password will not be hidden, i.e., someone can read it over your shoulder. If you want to avoid that, use the flag -s
read -s -p "mysql password: " PASS && ...
Note also that there mustn't be any space between the "p" (in -p for password) and the quotation mark for the password variable.
Also, your shebang is not specifying which interpreter to use, which might be a problem. I'd suggest you use #!/bin/bash or #!/usr/bin/env bash.