Was trying to figure out how to execute a sudo command with the password as a parameter.
echo mypassword | sudo -S command
was using this reference Use sudo with password as parameter
However, on OS X it keeps say "sudo: incorrect password attempt" however that passwords is correct.
what am i doing wrong?
As pointed out in the comments already, what you're doing is a very bad idea because it leaves the password of an account laying around. Instead, if you need to run a specific command with sudo from a script, you could -- and you should -- define that single command for one specific user in such a way that its execution is allowed without having to type in the password.
So, you should edit /etc/sudoers to include an entry for your specific user for that one, single, specific command with the tag NOPASSWD:
youruser yourhostname = (root) NOPASSWD: /some/path/your/command
Or if you really don't feel like typing in the hostname of your computer, then go for:
youruser ALL = (root) NOPASSWD: /some/path/your/command
That way you will possibly leak the ability of executing that one, single command as root instead of leaking your password and with it the possibility of running any commands as root.
Related
I have a bash script that executes some PostgreSQL as
sudo -i -u postgres psql <<EOF > /dev/null
--SQL CODE
EOF
The sudo asks me for a password for the current user and I'd like to disable that. I don't want to provide a password inside the script through sudo -S. I know I can disable the password for sudo using visudo, however I need to specify the command for which to disable it (I don't want to disable it globally). How do I disable the sudo password for sudo -i -u postgres ?
You probably like a line in the sudoers file as follows:
script_user ALL = (postgres) NOPASSWD: /usr/bin/psql
The individual items in the line are as follows:
script_user: the (standard) user which uses the bash script (i.e., your user account)
ALL: special variable, here at the position where it indicates all hosts. You could try and limit this to e.g. localhost if you want
(postgres): user to run the command(s) as. That is, the user specified by the -u option
NOPASSWD: special variable indicating that the following command does not require a password (for this combination of user, sudo user and host, of course)
/usr/bin/psql: the specific command allowed. This could also be a comma-separated lists of commands, or ALL. (Obviously the path may be different on your machine.)
Related questions and answers on StackOverflow are a bit scattered and don't appear to fully answer your specific question, but I've come across an overall nice write-up on this topic by Abhijit Menon-Sen, which I found clearer to read than the various man pages on sudo & friends.
Background
I have a long bash script which setup a large environment of interconnected software, taking several hours to complete. A few of the tasks it performs need to be run as root, for which I use sudo .... The whole process is then paused until the user notices and types in the root password. I seek some way for the user to type in the root password only at the beginning of the script, and then automatically supply it when required by sudo later.
My thoughts on possible (bad) solutions
I could store the password directly in a variable and then supply it using
echo "${root_password}" | sudo -S ...
but something tells me that this is bad practice.
Another workaround would be to force the user to run the entire script as root, but wouldn't that lead to different permissions for all of the files generated without the use of sudo?
You can prompt it at the start of your script, so it is not plain text hard saved.
Example:
#!/bin/bash
read -s -p "[sudo] sudo password for $(whoami): " pass
echo $pass | sudo -S apt-get update
help read:
-r do not allow backslashes to escape any characters
-s do not echo input coming from a terminal
I suggest you figure out all of the commands you need the script to run using SUDO, ensure the script is run by a special unprivileged user (e.g. scriptuser), and then edit /etc/sudoers to permit scriptuser to run those commands with NOPASSWD
As an example:
scriptuser ALL = NOPASSWD: /bin/kill, /usr/bin/othercommand, etc.
If you know the complete commands, including arguments, that's ideal (it means that an attacker that compromises the scriptuser account can only run those specific commands as root)
Sudo has a lot of options configurable in /etc/sudoers. If you man sudoers , you should see all of them. Forewarning: This man page is very hard to understand. Find examples. Test them. Ask on StackExchange.
I'm trying to automate the build process which is done on linux server.
to do that first i need to login to the su and then perform the tasks for stopping and starting the server. I've written shell script to do that but there are some problems I'm facing,
1) even though I'm providing password from script using expect & send it tasks for password on terminal.
2) doing echo'password' | sudo -S su takes password automatically but says wrong even if it is right.
3) and when i put the password through terminal manually using su I get logged in to the su but the rest of the commands in script does not gets executed unless i do exit.
The script I've tried is,
echo 'password\n' | sudo -S su ##it says wrong password for su
commands to be performed after logging to su
exit
I've tried expect and send too,
su expect"Password" send "password\n";
and rest of the code here
but it's not fetching password from send automatically, I've to put it manually.
I would really appreciate if someone can help me with this!!
sudo requires the password of the user calling it, not the password of the superuser (or the user specified by the -u option). That may seem backwards, but the idea is that sudo can be configured to provide fine-grained control over what you are actually allowed to run as the superuser, rather than giving you access to the superuser account itself. Also, sudo keeps a log of who does what for auditing purposes.
If you used the wrong password, use the right password instead. Like others have already commented, sudo requires your password, not root's.
Additionally, your script is wrong. The sequence su; echo hello; exit will run a root shell with su, then when that shell exits, run echo hello and exit in your current shell.
You want this instead:
sudo -S sh -c 'echo hello'
The su is completely superfluous because sudo already takes care of switching to the root user, and offers a more convenient syntax for running commands as another user to boot. The sh -c '...' isn't strictly required in this example, but will probably be useful if you have more than one command which you wish to execute using elevated privileges. (Make sure you understand the implications. A useful commandment is to try to run even less code as sudo than you currently do. Always.)
I want to run the following sample bash script which needs sudo password for a command
#!/bin/bash
kinit #needs sudo password
vi hello.txt
while running the above script it is asking for password.
How can i pass the username and password in the command itself or is there any better way i can skip passing my password in the script ?
TL;DR
You can't—at least, not the way you think.
Longer Answer with Alternatives
You have a couple of options:
Authenticate interactively with sudo before running your script, e.g. sudo -v. The credentials will be temporarily cached, giving you time to run your script.
Add a specific command such as /usr/lib/klibc/bin/kinit to your sudoers file with the NOPASSWD option. See sudoers(5) and and visudo(8) for syntax.
Use gksudo(1) or kdesu(1) with the appropriate keyring to cache your credentials if you're using a desktop environment.
One or more of these will definitely get you where you want to go—just not the way you wanted to get there.
So if you have access to your full system, you can change your sudoers file to allow certain sudo commands to be run w/o a password.
On the command line run visudo
Find your user and change the line to look something like this:
pi ALL=(ALL) NOPASSWD: /path/to/kinit, /path/to/another/command
That should do it. Give it another shot!
Hope that helps
You shouldn't pass username and password. This is not secure and it is not going to work if the password is changed.
You can use this:
gksudo kinit # This is going to open a dialog asking for the password.
#sudo kinit # or this if you want to type your password in the terminal
vi hello.txt
Or you can run your script under root. But note that vi is going to be ran as root as well, which means that it will probably create files that belong to root, that might be not what you want.
This may be a stupid question.
I have a script that I want to be portable between Mac OS X and a Linux box I use. In OS X, a command in the script requires sudo, where on the Linux box, it does not.
Long story short, how does one run one command in a script with sudo, while then removing the elevated privileges for the rest of the script?
I have tried to use
su -
and
su -c
but they both seem to error out. (They say "sorry" and move on, I assume because it is trying to run as root and root does not have a password).
I know there has to be a silly and easy way to do this, what does everyone suggest?
You can 'revoke' the sudo permission (actually: close the sudo time window early) by doing:
sudo -k
Also, you can configure sudo to only allow elevated permissions on certain commands, or even to impersonate non-root for specific commands. See man sudoers. The examples section makes it exceedingly clear that there is virtually no limit to the configurability of sudo (roles, hosts, commands, allow escaping, allow sudo target users, exceptions to allowed things, password less authorization etc etc).
Hopefully an interesting example in your context:
The user fred can run commands as any user in the DB Runas_Alias (oracle or sybase) without giving a password.
fred ALL = (DB) NOPASSWD: ALL
If you can't / don't really want to meddle with /etc/sudoers (visudo!) then I suggest using something like
{
trap "sudo -k" EXIT INT QUIT TERM
sudo ls # whatever
}
Try sudo su instead of su to change back to a regular user.
Use sudo without su:
#!/bin/bash
whoami # Runs under your regular account
sudo whoami # Runs as root
whoami # Runs under your regular account again
Here's the output when I run it:
$ ./sudotest
gordon
Password:
root
gordon