I usually have to login in 20 to 50 times daily as a super user, typing the long password again and again..
i have just created a simple bash script
#!/bin/bash
sudo -s
echo password
./test
output root#localhost:
password
when i execute it, it works like charm... but it shows my password on the screen.....
do some one have any other best solution...... for this small problem.......
i hope this is not all the solution in security standard...... can we have any other solution with out exposing my password.....
You can pipe the echo'd password into a command. Try something like this:
echo myPassword | sudo -S
You can see come more info on this here.
Question is, do you REALLY want your password in a shell script file? (just emphasizing that its a terrible idea)
Is there a reason that you can't sudo su - to just become the root user instead of prepending all of your commands with sudo blah?
just change ownership of the script to root & set SUID-Bit in user the permissions
chmod u=rws g+x o+x script123
the script will run as root for every user
You can configure sudo to require a password only every so many minutes. The default is 5 minutes. Read the sudoers man page and scroll down to this:
timestamp_timeout
Number of minutes that can elapse before sudo will ask
for a passwd again. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
expire. This can be used to allow users to create or
delete their own timestamps via sudo -v and sudo -k
respectively.
simple solution is to use key base authentication
Use ssh-copy-id instead following from this tutorial which is secure
Related
Certain applications (for example yay) uses sudo to run some commands as root. This means that I have to sit in front of the terminal and wait until I'm prompted by sudo for a password, then enter it manually to make yay continue. I can avoid this by running a command as sudo first (like sudo -v). That way yay can run commands as sudo without it prompting me for a password.
But some times, applications take so long to install that the sudo session times out (15 minutes) and sudo re-prompts me for a password. Since I usually leave my computer or switch to a different workspace while this happens, the sudo password prompt usually times out which is super annoying.
I don't want to disable the sudo timeout altogether, since it's there for a reason. However, when I expect that a command that uses sudo will take a long time, I would like to be able to disable sudo timing out for the current shell only.
Something like:
sudo --disable-timeout
Now I should be able to run sudo in the current shell, without ever having to re-enter my password, or until I run sudo -k.
Is something like this possible, or will I have to write a wrapper script that regularly refreshes the sudo session for me?
Here is one possible workaround. Write a script like this (e.g. sudo-stay-validated.sh):
#!/bin/bash
while true; do
sudo -v
sleep 60
done
Run the script in the terminal where sudo should stay validated:
$ bash sudo-stay-validated.sh
Press Ctrl+Z to place it in the background, then remember to run $ bg to resume the script in the background.
This keeps sudo validated in the current shell until it's closed.
There seems no easy way to do this for the current shell but you can set a timeout globally.
In order to set a different timeout (globally) than the default (=15 min) you can edit /etc/sudoers:
sudo visudo # opens /etc/sudoers for editing
# change the following line:
# Defaults env_reset
# to:
Defaults env_reset,timestamp_timeout=30 # timeout in minutes
Or:
cd /etc/sudoers.d
sudo visudo -f username
Defaults env_reset,timestamp_timeout=30 # timeout in minutes
Special values:
-1: no timeout
0: get prompted every single time
Generally, the sudo timeout is there for a (security) reason. When you (successfully) try to circumvent that timeout, you weaken the security of your system. So, lets have another look on the stated problem: you run a lengthy job, after some time sudo asks for a password and times out. You propose preventing sudo from asking for the password. Alternatively, prevent sudo from timing out. Put:
Defaults passwd_timeout=0
into your sudoers file to let sudo wait until you enter your password. This will prevent your timeout problem but will stall your build until you enter the password. On the plus side, you avoid compromising security.
Alternatively, since you mention yay specifically, there is a command line option for yay which makes it call sudo in the background to prevent it from timing out. From man sway:
--sudoloop
Loop sudo calls in the background to prevent sudo from timing out during long builds.
Well, why not to use screen for this purpose? Connect with ssh, start screen, start your command and de-attach from screen. Then when you ready to check if it your procedure completed then attach again. But even better send an email notification to special email address and your phone will notify you that the job is done (I hope that you have more or less modern cell phone). https://linux.die.net/man/1/screen
I have the following bash script to restart the network manager in Debian. The script works as is it should, but not as I would like it to. When the script asks for the sudo password I am able to pass it along using echo, but it displays the password in terminal while the script executes, making it less asthetically pleasing than I would like. Is there anyway to have the script enter the password, but not display the password text while the script calls for the sudo password?
I have tried as many suggestions on Stack Overflow as i could find, well as Stack Exchange before submitting this question.
Script is as follows:
#!/bin/bash
clear
echo "Restarting service Network Manager"
echo""
sleep 1
echo -e "\033[0;31m......................................\033[0m"
echo -e "\033[0;31m......................................\033[0m"
sleep 1
echo""
sudo service network-manager restart
sleep 2
echo <Password>
sleep 2
echo "Service Network Manager Restarted"
sleep 1
echo ""
echo "Relinquishing control of terminal to user..."
sleep 7
clear
Remove the echo <Password> line? I am pretty sure it does nothing other than display the password, as sudo apparently (through an appropriate entry in /etc/sudoers) works without you having to give a password. (What you write to terminal with echo does not get passed to any other process.)
Generally speaking, you can use sudo -S to make sudo expect the password on stdin. But also generally speaking, if you have to hardcode a password in a script, you're doing it wrong in some way.
Is there anyway to have the script enter the password
Putting password in script is not a good idea. First, from security point of view, password may be recovered from script from anyone with access to script. Second, from maintenance view, once you change your password, scripts suddenly stop working and you have to update them all.
Fortunately, as you are already using sudo there is better solution. You can configure sudo to allow running certain command without password, by using NOPASSWD rule in /etc/sudoers.
myuser ALL=(ALL) NOPASSWD: service network-manager restart
See:
How do I run specific sudo commands without a password?
How to run a specific program as root without a password prompt?
Warning: Always edit /etc/sudoers with visudo, never directly. It prevents you from breaking /etc/sudoers. Once you break your /etc/sudoers, you won't be able to use sudo, including using sudo to fix /etc/sudoers.
try this /bin/echo -e "password\n" | sudo apt-get update
or see this Use sudo with password as parameter
I wanted to force root user to change password on next login , so I executed command
chage -d 0 root.
The command executed successfully and return code as 0.Even /etc/shadow file is showing changes properly as follow
root:$1$ZlexRZiM$3cb5GDF9s7.U0l/Xwoh0E1:0:1:90:7:::
Still system is not forcing root user to change password.I even tried to expire password by executing command
passwd -e root
still facing same issue.
IT is a very strange behavior, this should work since it is a rather standard way to do it.
What I would check is:
Full logout, don't test it with the "sudo -i" or "sudo su" to test it and perform a clean login as root (straight as root)
Check the /etc/login.defs file for variables settings (even if I don't think it is much probable). Variables you should check for are (pasting std fedora settings from my workstation):
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
I would like to know if there is anyway to send a mail as soon as someone tries su -, su or su root. I know the mail command and I am trying to write a script but I am very confused as to
where to write it - whether in .bashrc of root or in /etc/process
how to invoke the mail on the use of su
I've tried the usual Google search etc. but got links on usage of su, disabling it, securing ssh etc - none of which answered this question.
Thanks in advance
I guess that your underlying requirement is that you have a bunch of people you have given root privilege to but you don't completely trust them so you want to keep an eye on them. Your solution to this is to get yourself sent mail whenever they become root.
The problem with this solution is that the root user has unlimited privilege and so there's nothing to stop them from counteracting this mechanism. They could for instance, edit the /etc/login.defs file in one session, do the good thing that you want them to do and then later su to root and do the bad thing that you fear and at the end of that session they edit the /etc/login.defs file back to it's original state and you're none the wiser. Alternatively they could just make a copy of /usr/bin/bash and make the copy a suid file that will give them privilege whenever they run it.
You might be able to close any of the vulnerabilities I've just suggested but there will be many, many more. So you either trust them or else don't use su at all and give them sudo permission to run just those commands that they need to do the thing you want them to do.
There's a log file called /var/log/secure which receives an entry any time su is executed. It gets entries under other conditions as well. It's described in the Linux Administrator's Security Guide.
If user "fred" executes su -, an entry will appear which looks something like this:
Jul 27 08:57:41 MyPC su: pam_unix(su-l:session): session opened for user root by fred(uid=500)
A similar entry would appear with su or su root.
So you could set up a script which monitors /var/log/secure as follows:
#!/bin/sh
while inotifywait -e modify /var/log/secure; do
if tail -n1 /var/log/secure | grep " su: "; then
tail -n1 /var/log/secure | grep " su: " | mail -s "su occurred" you#email.com
fi
done
Note that you need to have the inotify-tool package installed to use inotifywait.
If this script is running in the background, it should send an email to you#email.com any time an su entry occurs.
Now where to run the script. One approach would be to put this into an executable script file (say, watchsu) and call it from your rc.local file:
nohup /path/to/watchsu 2>&1 &
I'm sure there are other ideas for where to start it. I'm not familiar with CentOS.
According to the man page for su, in /etc/login.defs you can set either SULOG_FILE file or SYSLOG_SU_ENABLE yes to log all su activity. Then you just need something like inotifywait to watch the log file for su events.
In Linux how can I enter the password for one of the commands in a chain of commands which requires a sudo. One example which I can think of is when after running a long compile job, I want to shutdown the machine.
make ; sudo init 0
I want the shutdown command to run only after make finishes, but would like to enter the password right away, because I won't be there when the first command is done. Also, I don't want to run "make" with super user privileges. So switching to root and running the commands is also out of the question.
Thanks!
sudo sh -c "su -c 'make' $USER && init 0"
Change your uid early and often. That's the Chicago way!
You can run sudo -v to update the sudo timestamp - this means you won't need to enter a password for x minutes (default is 5). You can change the timeout by editing the timestamp_timeout in the sudoers file.
You also might want to change your command to
make && sudo init 0
which will only shut down if make completes successfully.
One possibility is to use Expect
to automate the password input.
Here's a simple HOW-TO for expect and passwords: http://www.linux.com/archive/feed/56066
Another possibility is to edit your /etc/sudoers and set your user to be able to use sudo without password. if you check the file it will be explained in the comments there.
Why not pipe the password into sudo?
make; echo 'password' | sudo -S init 0
Change the timeout for sudo to something long enough to cover your usage, then run something like sudo echo to authenticate, then run your other commands. As long as the password timeout hasn't been reached, it should execute without asking again.
You can add that to your sudoers file
username ALL = NOPASSWD: /sbin/init
where username is the username you want to allow.