How/where to provide sudo password for Vagrant shell provisioners? - linux

I am trying to build a Vagrant box (CentOS) that will be provisioned by an install.sh shell script. This script will do several things, the first of which, involves creating the correct directory structure under /opt so that my service can be installed there and do other things, like writing logs there, as well.
So my Vagrant project (so far) consists of:
my-app-vagrant/
Vagrantfile
install.sh
Where install.sh looks like:
mkdir /opt/myapp
mkdir /opt/myapp/bin # Where we will install binary to (later in this script)
mkdir /opt/myapp/logs # Where the binary will write logs to
Now the binary does not need elevated privileges in order to run (it is configured via command-line arguments where to write logs to). However I simply want it to live under /opt with the above directory structure, at least for this particular machine.
The problem is that /opt is owned by root. Which means I need to run these mkdirs with sudo, provide the script the password for sudo, and then tweak directory permissions so that when the app runs, it has permission to both run and to write logs to my intended destination (which again, is /opt/myapp/logs). So I tweaked install.sh to look like this:
mkdir /opt/myapp
mkdir /opt/myapp/bin
mkdir /opt/myapp/logs
chmod -R 777 /opt/myapp # Now when the app runs as a normal non-privileged user, we can run + write logs
And I know that I can provide a password to the script via echo <rootPswd> | sudo -S sh install.sh (where <rootPswd> is the correct root password).
Now I'm trying to figure out how to get this running/working correctly when Vagrant is provisioning the VM.
My Vagrant file looks like:
Vagrant.configure(2) do |config|
config.vm.provision "shell", path: "install.sh"
config.vm.box = "centos7"
config.vm.box_url = "https://github.com/tommy-muehle/puppet-vagrant-boxes/releases/download/1.1.0/centos-7.0-x86_64.box"
config.vm.network "private_network", ip: "10.0.1.2"
config.vm.provider "virtualbox" do |vb|
vb.memory = "2048"
end
end
But what I'm stuck on is: how do I extend the whole "echo <rootPswd> | sudo -S sh install.sh"-concept to Vagrant? According to their docs there is a privileged option that I might be able to use, but it is set to true by default anyways.
But nowhere in their docs do they explain how/where to provide the sudo password that should be used (at least from what I have been able to find so far).
So I ask:
How do I provide the sudo password for a Vagrant VM's shell provisioner's installation script?; and
Where can I find out what the sudo password even if, given the base Vagrant box that I'm trying to use?

Turns out that (for almost all Vagrant boxes) the vagrant user is listed in /etc/sudoers with ALL=(ALL) NOPASSWD:ALL permissions, which instructs Linux to not ask that user for a "sudo password", ever.
Hence, you don't need to supply your privileged user with a sudo password.

While smeeb's answer is the case even to this day, it doesn't quite answer the question. Really there are different ways to do this depending on the provisioner you are using. For example, in Ansible you can use ask_become_pass to be asked for the password prior.
With the shell provisioner you won't have any helpers outside of those Ansible provide. If privileged doesn't do it for you then you'd probably need to just sudo manually.
To do this you can use the following:
echo "mypassword" | sudo -S command
Take heed though, doing this on something throwaway will mean you will have traces in your history of that password.

Related

SSH and sudo over a pseudo-tty terminal

I am trying to overcome some limitations in our environment to write up an authorized SSH file for passwordless ssh keys.
I am requiring to perform an ssh as a to a target system, and then run a "sudo su - , and then update the service account authorized_keys with a key"
This eventually has to go onto my ansible scripts.
I am using "ssh -t user#target "sudo su - service-user" - which actually successfully gets me into a shell for service-user. But I am not able to figure out a way to pass along the file modify commands with the above.
Any tips or alternative options?
Note: I need to use "ssh -t" option as the requiretty is not set on target systems.
Cheers!
Depending on what transport you're using you can use ssh_args.
OpenSSH is the default connection type for Ansible on OSes that are new enough to support ControlPersist. (This means basically all operating systems except Enterprise Linux 6 or earlier).
Then you can do something like this in your ansible.cfg:
ssh_args = -t -t
Which will force ansible to connect the same way you do manually.
Then in your playbook or together with the task where you need it specify become and become_user
- name: Some task
debug: msg="this is a test"
become: true
become_user: someuser
su has an option, -c, that allows you to pass along a command to execute instead of launching a new shell.
-c, --command=COMMAND
pass a single COMMAND to the shell with -c
However, you're authenticating with sudo, which already does this by default; you can just cut su out of the command entirely:
ssh -t user#target "sudo -u service-user <your-command>"
To go one step further, you note that you're planning on putting this into an Ansible playbook. If so, you probably shouldn't be spending too much time trying to do this manually - Ansible will handle running commands remotely (that's one of its primary features, after all), and has a module for modifying the authorized_keys file.

Script for logging in as user and executing another script

I need to run a set of commands after logging into a remote machine -
sudo su - weblogic
Enter password
sh /pathtofile.sh
The following approach doesnt do anything. It logs me into the server as weblogic but then does nothing. When I press Ctrl + C, it then executes sh/pathtofile.sh
ssh -t user#host 'sudo su - weblogic; sh /pathtofile.sh'
I have searched everywhere I could, but however I cannot find the right solution to this. Please help!
The test failed for the SUID or setuid for a script because on linux it is disable by default for script.
To use SUID you might want to create an binary executable which in turn starts the final script. SUID should work with binaries.
-- for reference --
Normal users on the system who have permission to execute this file gain the privileges of the user who owns the file.
sudo chown weblogic /pathtofile.sh
sudo chmod 4755 ./pathtofile.sh

Nonroot user account set up that has "sudo" privileges for Windows

This question is a bit specific and I want to do the equivalent of the following code:
# these commands must be run as root
root#server:$ useradd -m -s /bin/bash elspeth # add user named elspeth
# -m creates a home folder, -s sets elspeth to use bash by default
root#server:$ usermod -a -G sudo elspeth # add elspeth to the sudoers group
root#server:$ passwd elspeth # set password for elspeth
root#server:$ su - elspeth # switch-user to being elspeth!
elspeth#server:$
elspeth#server:$ sudo apt-get install nginx
elspeth#server:$ sudo service nginx start
I click "Run as administrator" when opening the Command Prompt, which I assume is "running as root."
I did a little research and found commands like net user (username) (pwd) which I assume are Windows equivalents. Now first, the sudo group part I am confused. I enter:
net localgroup sudo (user) /add
but get a "The specified local group does not exist." Am I to just make a new "sudo" group?
There is also the part of the code setting a user to "use bash by default" of which I do not know/understand the Windows equivalent.
Lastly for the first chunk of code, there is a su command. Would runas be the equivalent? I read that you can switch users from the command prompt on Windows through runas but then I have to specify a program to run (would it be bash in this case?)
And from what I read on StackOverflow, runas is actually the Windows equivalent to Linux's sudo, which gets more confusing for me in the second chunk of code where we have to use sudo (and for what it's worth, sudo is an unrecognized command for me).
For reference and context, this is the book I am using and the exact excerpt dealing with this code:
http://chimera.labs.oreilly.com/books/1234000000754/ch08.html#_user_accounts_ssh_and_privileges
You can't just translate commands like that into Windows; Linux and Windows are completely different especially when it comes to user management.
sudo is just switch user do; it allows you to run a command as another user. In most cases, this is done to allow normal users to execute commands as root.
On Windows, this is "Run As Administrator"; or if you are already part of the Administrator's group - then you can skip this entirely.
The first line adds a user, assigns them a home directory and a shell.
In Windows, you simply add a user; as there really isn't a concept of "shell" in Windows - that is, all users by default use the Windows Desktop Environment - which is their "shell". A shell is just a program that accepts input for execution. Most texts will tell you that cmd.exe (or PowerShell) is the "shell", but this is not strictly true. These are just another interface to execute commands - the main "shell" is Windows itself.
Further, all users get a home directory by default (unless they are a system account).
For more on how to actually create the users and add them to groups, see PowerShell: Create Local User Account
Your last two lines are installing nginx; the closest thing for that command on Windows is chocolatey, but it needs to already be installed.
Otherwise, specifically for nginx you simply download the zip and run the command.

How to supply sudo with password from script?

Please note: this is a guest VM (VBox) running on my local machine, and I'm not worried about security.
I am writing a script that will be executed on a Linux (Ubuntu) VM as the myuser user. This script will create a very large directory tree under /etc/myapp. Currently I have to do all this manually, and it starts with me giving myuser recrusive rwx permissions under /etc like so:
sudo chmod -R 777 /etc
[sudo] password for myuser: <now I enter the password and hit ENTER>
My question: how do I write a bash script that supplies the sudo command with my password so that I can just execute bash myscript.sh and it will make the necessary permission changes for me?
(BASH)
OK, if you've gotta do it, (keeping security warnings in mind):
$ sudo -S < <(echo "<your password>") <your sudo command>
If, as you say, you completely don't care about security...
Run visudo to edit /etc/sudoers with validation in place. Add the following line:
ALL ALL=(ALL) NOPASSWD: ALL
This will prevent sudo from ever asking for a password, for any user, for any command.
You can use expect or autoexpect. It's a bad idea, though.
Never put system passwords into writing. At least, not on a file on said system. Much less on an install script known to require root access. You're making yourself an easy target.
What you do instead, is configure sudo via /etc/sudoers/ to allow exactly that user to execute exactly that script without a password:
myuser ALL=(ALL) NOPASSWD : /path/to/script
Note:
If you remove the /path/to/script part, myuser will be able to sudo anything with no password.
If you change myuser for ALL, everyone will be able to run that script with no password.

Running Remote Root Scripts on Fedora

I'd like to automate root scripting actions on my remote Fedora server via SSH without having to install the scripts on the server. To do this, I'm trying to use Bash's inline script notation. This works fine in Ubuntu, but I'm getting strange errors on Fedora.
e.g.
#!/bin/bash
ssh -t myuser#myserver <<EOI
su -
ls /root
exit
exit
EOI
This gives me the output:
standard in must be a tty
ls: cannot open directory /root: Permission denied
I've also tried:
#!/bin/bash
ssh -t myuser#myserver <<EOI
sudo ls /root
exit
EOI
but this gives me:
sudo: no tty present and no askpass program specified
If I manually ssh in and run these commands, they run fine since myuser is in the sudoers file. I've Googled these errors and have tried some fixes, but nothing's worked so far. How do I resolve this?
Looks like you're being prompted for the password but have no way to enter it. Here's a few things that should help.
Try an extra -t option: ssh -tt myuser#myserver <<EOI
Also this is a handy trick to log on as root without the root password being enabled: sudo su -
As a last resort you can setup your user to sudo without a password using visudo. You might see some comments like these to help you out:
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL

Resources