How To add-trusted-cert on a Mac Remotely (without user interaction) - macos

Is it possible to add a trusted certificate on a Mac OS X 10.8.3 remotely? If so, how?
My current approach is to use the command below. Can it be tweaked so that it works remotely without user interaction?
security add-trusted-cert foo.cer
When I try the command above, I get SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible.
My situation: the tool I'm using executes /bin/sh -xe bar.sh on the target machine and I have control over [1] which user it executes as and [2] the contents of bar.sh which currently has security add-trusted-cert foo.cer. Unlocking the keychain first does not appear to be the answer.

The command below works but the password can be seen by another user with ps and maybe even ends up in a commmand-line history as well. If there's a better answer that avoids this problem, most likely I'll mark that one as the accepted answer.
echo "password" | sudo -S /usr/bin/security add-trusted-cert -d -r trustRoot -k /path/to/keychain /path/to/cert
I got it from http://www.bynkii.com/archives/2009/04/stupid_cert_tricks.html

Related

Cannot get keychain password via SSH

On a Mac (Big Sur) machine, I can easily get a password from the keychain via the command line:
security find-generic-password -l Foo -w
But, if I ssh into that same machine, the exact same command returns nothing.
Any ideas why that would be happening?
Jeff Holt's response helped me.
Indeed the remote keychain was locked and can be unlocked with security unlock-keychain. If you are interacting via the command line perhaps using a script you can test for whether the default keychain is unlocked with show-keychain-info which returns a non-zero value when locked.
In bash selectively prompt to unlock the keychain (with squashing of the redundant text output of show-keychain-info to stderr):
if ! $(security show-keychain-info 2> /dev/null); then
security unlock-keychain;
fi

Running sudo in shell script

I am just creating a little script which changes mac address. Everytime I run it i have to enter sudo password. How to allow script to enter password or skip sudo verification?
OR is there another way to create this script?Maybe use python?
So here is my script:
#!/bin/bash
nmcli radio wifi off
sudo macchanger wlp6s0 -a
nmcli radio wifi on
What you want to do is modify the sudoers file to allow the user running the script access to a specific command without having to enter a password.
See this answer for more information: https://askubuntu.com/questions/334318/sudoers-file-enable-nopasswd-for-user-all-commands
In short, call visudo and add the following entry:
your_user ALL=(ALL) NOPASSWD:/path/to/the/binary/macchanger wlp6s0 -a
Of course, exchange /path/to/the/binary/macchanger with the true path, found by running which macchanger.
Now the user your_user can run that single command with those exact arguments via sudo without password.
Also, as Cyrus pointed out, man is your friend. It's a good idea to always check the manpages first. More often than not you're going to find the answer to your question by reading it and trying some ideas. In this case: man visudo and man sudo.conf.
Instead of playing around with sudo and risking giving full root
access to programs that may act irresponsibly you can set
cap_net_admin on the binary:
sudo setcap cap_net_admin+ep "$(command -v macchanger)"
It's just one-time operation. Now you can remove sudo from your
script and it will work.
Maybe use python?
No, that wouldn't help. Language doesn't matter. It's kernel that
allows or forbids performing certain operations.

Disable sudo password for specific user login

I have a bash script that executes some PostgreSQL as
sudo -i -u postgres psql <<EOF > /dev/null
--SQL CODE
EOF
The sudo asks me for a password for the current user and I'd like to disable that. I don't want to provide a password inside the script through sudo -S. I know I can disable the password for sudo using visudo, however I need to specify the command for which to disable it (I don't want to disable it globally). How do I disable the sudo password for sudo -i -u postgres ?
You probably like a line in the sudoers file as follows:
script_user ALL = (postgres) NOPASSWD: /usr/bin/psql
The individual items in the line are as follows:
script_user: the (standard) user which uses the bash script (i.e., your user account)
ALL: special variable, here at the position where it indicates all hosts. You could try and limit this to e.g. localhost if you want
(postgres): user to run the command(s) as. That is, the user specified by the -u option
NOPASSWD: special variable indicating that the following command does not require a password (for this combination of user, sudo user and host, of course)
/usr/bin/psql: the specific command allowed. This could also be a comma-separated lists of commands, or ALL. (Obviously the path may be different on your machine.)
Related questions and answers on StackOverflow are a bit scattered and don't appear to fully answer your specific question, but I've come across an overall nice write-up on this topic by Abhijit Menon-Sen, which I found clearer to read than the various man pages on sudo & friends.

Login to su and take the password from the same script

I'm trying to automate the build process which is done on linux server.
to do that first i need to login to the su and then perform the tasks for stopping and starting the server. I've written shell script to do that but there are some problems I'm facing,
1) even though I'm providing password from script using expect & send it tasks for password on terminal.
2) doing echo'password' | sudo -S su takes password automatically but says wrong even if it is right.
3) and when i put the password through terminal manually using su I get logged in to the su but the rest of the commands in script does not gets executed unless i do exit.
The script I've tried is,
echo 'password\n' | sudo -S su ##it says wrong password for su
commands to be performed after logging to su
exit
I've tried expect and send too,
su expect"Password" send "password\n";
and rest of the code here
but it's not fetching password from send automatically, I've to put it manually.
I would really appreciate if someone can help me with this!!
sudo requires the password of the user calling it, not the password of the superuser (or the user specified by the -u option). That may seem backwards, but the idea is that sudo can be configured to provide fine-grained control over what you are actually allowed to run as the superuser, rather than giving you access to the superuser account itself. Also, sudo keeps a log of who does what for auditing purposes.
If you used the wrong password, use the right password instead. Like others have already commented, sudo requires your password, not root's.
Additionally, your script is wrong. The sequence su; echo hello; exit will run a root shell with su, then when that shell exits, run echo hello and exit in your current shell.
You want this instead:
sudo -S sh -c 'echo hello'
The su is completely superfluous because sudo already takes care of switching to the root user, and offers a more convenient syntax for running commands as another user to boot. The sh -c '...' isn't strictly required in this example, but will probably be useful if you have more than one command which you wish to execute using elevated privileges. (Make sure you understand the implications. A useful commandment is to try to run even less code as sudo than you currently do. Always.)

Any security risks with sudo password from standard input over ssh?

I want to execute sudo over ssh on remote servers and supply the password over standard input. The following code is in a shell script on a secured server with restricted access. The password is asked beforehand and the servers use all the same sudo password. The someaction can surely take some seconds to execute.
Here is the shell script extract:
read -s -p "please enter your sudo password" PASSWORD
ssh user#host1 -t "echo '$PASSWORD' | sudo -S someaction"
ssh user#host2 -t "echo '$PASSWORD' | sudo -S someaction"
My question: Is it safe to use echo with a pipe? And are here any security problems that might occur, like logging the echo result on the remote server, etc?
Maybe somebody has a better suggestion?
Note: I know other tools can do this, like ansible etc. I am not looking for another similar tool, just want to know whether using ssh/echo/sudo in the mentioned way is safe.
Yes!
As long as the command is running anybody that can view all processes can view that password, by running ps aux | grep echo:
root [..] zsh -c echo topsecret | sudo -C action
You could configure sudo to not ask the password for a specific task for a user, that would certainly increase security over this solution.

Resources