Hide plaintext password from showing in bash script? - linux

I have the following bash script to restart the network manager in Debian. The script works as is it should, but not as I would like it to. When the script asks for the sudo password I am able to pass it along using echo, but it displays the password in terminal while the script executes, making it less asthetically pleasing than I would like. Is there anyway to have the script enter the password, but not display the password text while the script calls for the sudo password?
I have tried as many suggestions on Stack Overflow as i could find, well as Stack Exchange before submitting this question.
Script is as follows:
#!/bin/bash
clear
echo "Restarting service Network Manager"
echo""
sleep 1
echo -e "\033[0;31m......................................\033[0m"
echo -e "\033[0;31m......................................\033[0m"
sleep 1
echo""
sudo service network-manager restart
sleep 2
echo <Password>
sleep 2
echo "Service Network Manager Restarted"
sleep 1
echo ""
echo "Relinquishing control of terminal to user..."
sleep 7
clear

Remove the echo <Password> line? I am pretty sure it does nothing other than display the password, as sudo apparently (through an appropriate entry in /etc/sudoers) works without you having to give a password. (What you write to terminal with echo does not get passed to any other process.)
Generally speaking, you can use sudo -S to make sudo expect the password on stdin. But also generally speaking, if you have to hardcode a password in a script, you're doing it wrong in some way.

Is there anyway to have the script enter the password
Putting password in script is not a good idea. First, from security point of view, password may be recovered from script from anyone with access to script. Second, from maintenance view, once you change your password, scripts suddenly stop working and you have to update them all.
Fortunately, as you are already using sudo there is better solution. You can configure sudo to allow running certain command without password, by using NOPASSWD rule in /etc/sudoers.
myuser ALL=(ALL) NOPASSWD: service network-manager restart
See:
How do I run specific sudo commands without a password?
How to run a specific program as root without a password prompt?
Warning: Always edit /etc/sudoers with visudo, never directly. It prevents you from breaking /etc/sudoers. Once you break your /etc/sudoers, you won't be able to use sudo, including using sudo to fix /etc/sudoers.

try this /bin/echo -e "password\n" | sudo apt-get update
or see this Use sudo with password as parameter

Related

Pass two password to su commands

I am trying to run shell comment through PHP scripts.
I want to first su into a user then run a sudo command. I tried:
echo mypassword | (su -c "sudo reboot" user2)
It doesn't work because it requires two password and I only passed one password. I checked many other posts, the solution below doesn't work for me because I don't have the sudo password for the current user. I need to change the user a first then do a sudo. Can I get some help?
echo mypassword | sudo -s ... Not work...
I know this is a bad practice. I just need it to restart server as the port 22 is closed accidentally. I can't ssh into the server to do any operations..
This is ONE time use to reboot the server from PHP side as I am not able to reach the admin to reboot the server right now. I fully understand the disadvantages... Please DO NOT suggest the disadvantages.
Since it's an one time thing, try to use the following. It spawns a sudo environment (for the current user) in which sudo reboot is called.
#! /bin/bash
read -sp "pass? " pass
expect 2>&1 <<-EOF
spawn sudo reboot
expect "*: " { send "${pass}\r" }
expect eof
catch wait result
exit [lindex \$result 3]
EOF
exit $?
You can call it as follows to automate stuff.
$ ./test.sh <<-EOF
notreallymypassword
EOF
Note: Although I think it works, I haven't tested it yet.

Is it possible to disable sudo timeout in the current shell?

Certain applications (for example yay) uses sudo to run some commands as root. This means that I have to sit in front of the terminal and wait until I'm prompted by sudo for a password, then enter it manually to make yay continue. I can avoid this by running a command as sudo first (like sudo -v). That way yay can run commands as sudo without it prompting me for a password.
But some times, applications take so long to install that the sudo session times out (15 minutes) and sudo re-prompts me for a password. Since I usually leave my computer or switch to a different workspace while this happens, the sudo password prompt usually times out which is super annoying.
I don't want to disable the sudo timeout altogether, since it's there for a reason. However, when I expect that a command that uses sudo will take a long time, I would like to be able to disable sudo timing out for the current shell only.
Something like:
sudo --disable-timeout
Now I should be able to run sudo in the current shell, without ever having to re-enter my password, or until I run sudo -k.
Is something like this possible, or will I have to write a wrapper script that regularly refreshes the sudo session for me?
Here is one possible workaround. Write a script like this (e.g. sudo-stay-validated.sh):
#!/bin/bash
while true; do
sudo -v
sleep 60
done
Run the script in the terminal where sudo should stay validated:
$ bash sudo-stay-validated.sh
Press Ctrl+Z to place it in the background, then remember to run $ bg to resume the script in the background.
This keeps sudo validated in the current shell until it's closed.
There seems no easy way to do this for the current shell but you can set a timeout globally.
In order to set a different timeout (globally) than the default (=15 min) you can edit /etc/sudoers:
sudo visudo # opens /etc/sudoers for editing
# change the following line:
# Defaults env_reset
# to:
Defaults env_reset,timestamp_timeout=30 # timeout in minutes
Or:
cd /etc/sudoers.d
sudo visudo -f username
Defaults env_reset,timestamp_timeout=30 # timeout in minutes
Special values:
-1: no timeout
0: get prompted every single time
Generally, the sudo timeout is there for a (security) reason. When you (successfully) try to circumvent that timeout, you weaken the security of your system. So, lets have another look on the stated problem: you run a lengthy job, after some time sudo asks for a password and times out. You propose preventing sudo from asking for the password. Alternatively, prevent sudo from timing out. Put:
Defaults passwd_timeout=0
into your sudoers file to let sudo wait until you enter your password. This will prevent your timeout problem but will stall your build until you enter the password. On the plus side, you avoid compromising security.
Alternatively, since you mention yay specifically, there is a command line option for yay which makes it call sudo in the background to prevent it from timing out. From man sway:
--sudoloop
Loop sudo calls in the background to prevent sudo from timing out during long builds.
Well, why not to use screen for this purpose? Connect with ssh, start screen, start your command and de-attach from screen. Then when you ready to check if it your procedure completed then attach again. But even better send an email notification to special email address and your phone will notify you that the job is done (I hope that you have more or less modern cell phone). https://linux.die.net/man/1/screen

'su' by using 'script' in Docker returns different results compared to the standard environment

I need to request certain commands via su including password in one line.
I found a solution and it is working in a standard environment (Ubuntu) (more about solution here):
{ sleep 1; echo password; } | script -qc 'su -l user -c id' /dev/null | tail -n +2
But I am faced with the problem that this solution is not suitable in a Docker container environment
Script terminates the command without waiting for echo and as a result i get:
su: Authentication failure
Any help is much appreciated.
Passing the password for su via stdin is problematic for various reasons: the biggest one is probably that your password will end up in the history.
You could instead:
Call the entire script as the specific user and thus enter the password manually
Use sudo with the appropriate NOPASSWD sudoers configuration
In your case you are using docker, so you could just set the USER in your Dockerfile

can we write a simple bash script to automatically login as root user

I usually have to login in 20 to 50 times daily as a super user, typing the long password again and again..
i have just created a simple bash script
#!/bin/bash
sudo -s
echo password
./test
output root#localhost:
password
when i execute it, it works like charm... but it shows my password on the screen.....
do some one have any other best solution...... for this small problem.......
i hope this is not all the solution in security standard...... can we have any other solution with out exposing my password.....
You can pipe the echo'd password into a command. Try something like this:
echo myPassword | sudo -S
You can see come more info on this here.
Question is, do you REALLY want your password in a shell script file? (just emphasizing that its a terrible idea)
Is there a reason that you can't sudo su - to just become the root user instead of prepending all of your commands with sudo blah?
just change ownership of the script to root & set SUID-Bit in user the permissions
chmod u=rws g+x o+x script123
the script will run as root for every user
You can configure sudo to require a password only every so many minutes. The default is 5 minutes. Read the sudoers man page and scroll down to this:
timestamp_timeout
Number of minutes that can elapse before sudo will ask
for a passwd again. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
expire. This can be used to allow users to create or
delete their own timestamps via sudo -v and sudo -k
respectively.
simple solution is to use key base authentication
Use ssh-copy-id instead following from this tutorial which is secure

Enter password for a sudo command in a chain of commands

In Linux how can I enter the password for one of the commands in a chain of commands which requires a sudo. One example which I can think of is when after running a long compile job, I want to shutdown the machine.
make ; sudo init 0
I want the shutdown command to run only after make finishes, but would like to enter the password right away, because I won't be there when the first command is done. Also, I don't want to run "make" with super user privileges. So switching to root and running the commands is also out of the question.
Thanks!
sudo sh -c "su -c 'make' $USER && init 0"
Change your uid early and often. That's the Chicago way!
You can run sudo -v to update the sudo timestamp - this means you won't need to enter a password for x minutes (default is 5). You can change the timeout by editing the timestamp_timeout in the sudoers file.
You also might want to change your command to
make && sudo init 0
which will only shut down if make completes successfully.
One possibility is to use Expect
to automate the password input.
Here's a simple HOW-TO for expect and passwords: http://www.linux.com/archive/feed/56066
Another possibility is to edit your /etc/sudoers and set your user to be able to use sudo without password. if you check the file it will be explained in the comments there.
Why not pipe the password into sudo?
make; echo 'password' | sudo -S init 0
Change the timeout for sudo to something long enough to cover your usage, then run something like sudo echo to authenticate, then run your other commands. As long as the password timeout hasn't been reached, it should execute without asking again.
You can add that to your sudoers file
username ALL = NOPASSWD: /sbin/init
where username is the username you want to allow.

Resources