Hello list,
I took another stab at finding a way to add a sudo user remotely and it gets you most of the way there. If you execute the script as root it works beautifully and does just what you want. Which is add the user to the group and gives that user group rights to certain commands.
But if you execute it as a user who only has sudo access to the /etc/sudoers file it errors out.
cloud:~] bluethundr% ./add_sudo.sh reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN ATTEMPT! [sudo] password for bluethundr: Sorry, try again. [sudo] password for bluethundr: Sorry, try again. [sudo] password for bluethundr: Sorry, try again. sudo: 3 incorrect password attempts Connection to $host closed. 1 reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN ATTEMPT! bash: /tmp/sudoers.tmp: Permission denied Connection $host to closed. 1
The main problem is that the script doesn't enter the password.
I'm attempting to echo the user's sudo pass in like this:
$SSH -t $USER@$HOST http://host.jokefire.com/ 'echo $PASSWD | $SUDO -S $CP /etc/sudoers /tmp/sudoers-template'
(of course I'm trying it out in my own environment before I try to use it in their environment).
Here' s the script itself, I was hoping you could offer some help here:
#!/bin/bash
SSH='/usr/bin/ssh' ECHO='/bin/echo' TEE='/usr/bin/tee' SUDO='/usr/bin/sudo' VISUDO='/usr/sbin/visudo' CP='/bin/cp' CAT='/bin/cat' USER='user' HOST='beta' PASSWD='secret'
$SSH -t $USER@$HOST http://host.jokefire.com/ 'echo $PASSWD | $SUDO -S $CP /etc/sudoers /tmp/sudoers-template'
echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST http://host.jokefire.com/ 'echo $PASSWD | $SUDO -S echo "%my_group ALL=(root) NOPASSWD: /sbin/service, /bin/rm, /usr/bin/du, /bin/df" > /tmp/sudoers.tmp' echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST http://host.jokefire.com/ "echo $PASSWD | $SUDO -S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template" echo $?
if [ $? -eq 0 ]; then
$SSH $USER@$HOST http://host.jokefire.com/ "$VISUDO -cf '/tmp/sudoers-template' 2>&1 >& /dev/null" echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST http://host.jokefire.com/ "echo $PASSWD | $SUDO -S $CP '/etc/$SUDOers' '/tmp/sudoers.bak'" echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST http://host.jokefire.com/ "echo $PASSWD | $SUDO -S $CP '/tmp/$SUDOers-template' '/etc/sudoers'" echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST http://host.jokefire.com/ "echo $PASSWD | $SUDO -S $VISUDO -cf '/etc/sudoers'"
fi if [ $? -eq 0 ]; then $ECHO -e "You have successfully added the user to sudoers" fi fi fi fi fi fi
Thanks!
Consider using the NOPASSWD option, on the remote systems, to allow this particular use to run this particular script.
Consider using the NOPASSWD option, on the remote systems, to allow this particular use to run this particular script.
Some notes:
Every time you "echo $?", you are wiping out the return status (because echo returns a success and changes $? to 0), so none of your if statements will ever catch any errors.
Consider getting rid of the 'if' subtrees by negating your condition, which will make it much easier to understand what's going on. Having 6 levels of nested 'if's is a sure sign that something should be done differently. some_command if [[ $? -ne 0 ]]; then exit 1 fi
Take a look at the bash PIPESTATUS variable and make sure you are checking the return value of the command you actually want to know about.
Skip the sudoers.tmp stuff and just use the echo command to append to sudoers-template directly with: echo "..." >> /tmp/sudoers-template
You have a few commands that try to reference a file called "$SUDOers" and "$SUDOers-template", which might expand to /usr/bin/sudoers, or might be the literal "$SUDOers", either of which is most definitely not what you want.
Not sure what all that "http://host.jokefire.com" stuff is, but you've already specified your host in $USER@$HOST. Also, http://... makes no sense there.
You first few $SSH lines use single quotes, so the variables inside will never get expanded, so you'll be trying the literal '$PASSWD' as the password.
In addition to all of that, your approach is overly complicated. Something much more succinct should work just fine (untested general pseudo-code):
# Make temp copy to work on if cp /etc/sudoers /tmp/sudoers.tmp; then # If sudoers doesn't contain your line, then add it if ! grep -q "%my_group" /etc/sudoers; then echo "%my_group ..." >> /tmp/sudoers.tmp fi # Check syntax. Replace original file if OK, otherwise, exit with error if visudo -cf /tmp/sudoers.tmp; then mv -f /tmp/sudoers.tmp /etc/sudoers else exit 1 fi else exit 1 fi
Since you already have access to SSH, why not copy a full script file to the server and execute it, instead of doing each step in a separate ssh? Like: scp update_sudoers.sh user@host:/tmp ssh -t user@host "echo $PASSWD | sudo -S 'bash /tmp/update_sudoers.sh; rm -f /tmp/update_sudoers.sh'" That won't work if the server has /tmp mounted with the "noexec" option, but you get the idea.
It could also probably be converted into a (long) one-liner and executed using a single ssh/sudo command. Just be careful about quoting.
❧ Brian Mathis
On Wed, Jul 17, 2013 at 7:17 PM, Tim Dunphy bluethundr@gmail.com wrote:
Hello list,
I took another stab at finding a way to add a sudo user remotely and it gets you most of the way there. If you execute the script as root it works beautifully and does just what you want. Which is add the user to the group and gives that user group rights to certain commands.
But if you execute it as a user who only has sudo access to the /etc/sudoers file it errors out.
cloud:~] bluethundr% ./add_sudo.sh reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN ATTEMPT! [sudo] password for bluethundr: Sorry, try again. [sudo] password for bluethundr: Sorry, try again. [sudo] password for bluethundr: Sorry, try again. sudo: 3 incorrect password attempts Connection to $host closed. 1 reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN ATTEMPT! bash: /tmp/sudoers.tmp: Permission denied Connection $host to closed. 1
The main problem is that the script doesn't enter the password.
I'm attempting to echo the user's sudo pass in like this:
$SSH -t $USER@$HOST http://host.jokefire.com/ 'echo $PASSWD | $SUDO -S $CP /etc/sudoers /tmp/sudoers-template'
(of course I'm trying it out in my own environment before I try to use it in their environment).
Here' s the script itself, I was hoping you could offer some help here:
#!/bin/bash
SSH='/usr/bin/ssh' ECHO='/bin/echo' TEE='/usr/bin/tee' SUDO='/usr/bin/sudo' VISUDO='/usr/sbin/visudo' CP='/bin/cp' CAT='/bin/cat' USER='user' HOST='beta' PASSWD='secret'
$SSH -t $USER@$HOST http://host.jokefire.com/ 'echo $PASSWD | $SUDO -S $CP /etc/sudoers /tmp/sudoers-template'
echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD |$SUDO -S echo "%my_group ALL=(root) NOPASSWD: /sbin/service, /bin/rm, /usr/bin/du, /bin/df" > /tmp/sudoers.tmp' echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD | $SUDO-S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template" echo $?
if [ $? -eq 0 ]; then
$SSH $USER@$HOST http://host.jokefire.com/ "$VISUDO -cf '/tmp/sudoers-template' 2>&1 >& /dev/null" echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD |$SUDO -S $CP '/etc/$SUDOers' '/tmp/sudoers.bak'" echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD |$SUDO -S $CP '/tmp/$SUDOers-template' '/etc/sudoers'" echo $?
if [ $? -eq 0 ]; then $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD| $SUDO -S $VISUDO -cf '/etc/sudoers'"
fi if [ $? -eq 0 ]; then $ECHO -e "You have successfully added the user to sudoers" fi fi fi fifi fi
Thanks!
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Brian Mathis -
Mike Burger -
Tim Dunphy