I took your suggestion and turned my (ill advised) sudoers bash script into an expect script! It works a lot better this way and is more secure. Because I'm not trying to store a password in a script (which I recognize as a bad idea anyway, I I think I've learned my lesson here).
It really works well. But the only thing I'm still trying to figure out is how to put a if statement in there based on success of the last command ($?) before it'll move the new sudoers file in place. I'm verifying it with visudo before attempting to make the move. I'd like to make the final move based on the success/failure of that.
Anyway, here's the script:
stty -echo send_user -- "Please enter the host: " expect_user -re "(.*)\n" send_user "\n" set host $expect_out(1,string)
stty -echo send_user -- "Please enter your username: " expect_user -re "(.*)\n" send_user "\n" set username $expect_out(1,string)
stty -echo send_user -- "Please enter your passwd: " expect_user -re "(.*)\n" send_user "\n" set passwd $expect_out(1,string)
set timeout -1 spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers-template} match_max 100000 expect -exact "[sudo] password for $username: " send -- "$passwd\r" expect eof
set timeout -1 spawn ssh -t $host {sudo -S rm -f /tmp/sudoers.tmp} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S echo '%tekmark_t1 ALL=(root) NOPASSWD: /sbin/service, /bin/rm, /usr/bin/du, /bin/df, /bin/ls, /usr/bin/find, /usr/sbin/tcpdump' > /tmp/sudoers.tmp} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S chmod 777 /tmp/sudoers-template} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {cat /tmp/sudoers.tmp | tee -a /tmp/sudoers-template} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {/usr/sbin/visudo -cf /tmp/sudoers-template} match_max 100000 expect eof
if { "$?" == 0 } {
set timeout -1 spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers.bak} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S cp /tmp/sudoers-template /etc/sudoers} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S /usr/sbin/visudo -cf /etc/sudoers} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {rm -f /tmp/sudoers-template} match_max 100000 expect eof } else {
puts "Verification of sudo template failed. Aborting. Process failed"
}
Pretty simple! Got a suggestion to make this work? If I get that part right, it'll be done.
Thanks!