I took your suggestion and turned my (ill advised) sudoers bash script into an expect script! It works a lot better this way and is more secure. Because I'm not trying to store a password in a script (which I recognize as a bad idea anyway, I I think I've learned my lesson here).
It really works well. But the only thing I'm still trying to figure out is how to put a if statement in there based on success of the last command ($?) before it'll move the new sudoers file in place. I'm verifying it with visudo before attempting to make the move. I'd like to make the final move based on the success/failure of that.
Anyway, here's the script:
stty -echo send_user -- "Please enter the host: " expect_user -re "(.*)\n" send_user "\n" set host $expect_out(1,string)
stty -echo send_user -- "Please enter your username: " expect_user -re "(.*)\n" send_user "\n" set username $expect_out(1,string)
stty -echo send_user -- "Please enter your passwd: " expect_user -re "(.*)\n" send_user "\n" set passwd $expect_out(1,string)
set timeout -1 spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers-template} match_max 100000 expect -exact "[sudo] password for $username: " send -- "$passwd\r" expect eof
set timeout -1 spawn ssh -t $host {sudo -S rm -f /tmp/sudoers.tmp} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S echo '%tekmark_t1 ALL=(root) NOPASSWD: /sbin/service, /bin/rm, /usr/bin/du, /bin/df, /bin/ls, /usr/bin/find, /usr/sbin/tcpdump' > /tmp/sudoers.tmp} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S chmod 777 /tmp/sudoers-template} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {cat /tmp/sudoers.tmp | tee -a /tmp/sudoers-template} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {/usr/sbin/visudo -cf /tmp/sudoers-template} match_max 100000 expect eof
if { "$?" == 0 } {
set timeout -1 spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers.bak} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S cp /tmp/sudoers-template /etc/sudoers} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S /usr/sbin/visudo -cf /etc/sudoers} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {rm -f /tmp/sudoers-template} match_max 100000 expect eof } else {
puts "Verification of sudo template failed. Aborting. Process failed"
}
Pretty simple! Got a suggestion to make this work? If I get that part right, it'll be done.
Thanks!
Hi Tim,
You seem pretty determined to make this as convoluted as possible. Adding 'expect' into the mix? Using 'tee -a' to simply append a line to a file? chmod 777?
If you take a look at my previous reply, you can see this is relatively simple, and I basically wrote it for you, and even improved it to add some checking before making the changes.
There is no need to include a password in the script, as it can be read from the user like: echo "Enter password" read PASSWD
What are the issues you see with that?
❧ Brian Mathis
On Thu, Jul 18, 2013 at 5:37 PM, Tim Dunphy bluethundr@gmail.com wrote:
I took your suggestion and turned my (ill advised) sudoers bash script into an expect script! It works a lot better this way and is more secure. Because I'm not trying to store a password in a script (which I recognize as a bad idea anyway, I I think I've learned my lesson here).
It really works well. But the only thing I'm still trying to figure out is how to put a if statement in there based on success of the last command ($?) before it'll move the new sudoers file in place. I'm verifying it with visudo before attempting to make the move. I'd like to make the final move based on the success/failure of that.
Anyway, here's the script:
stty -echo send_user -- "Please enter the host: " expect_user -re "(.*)\n" send_user "\n" set host $expect_out(1,string)
stty -echo send_user -- "Please enter your username: " expect_user -re "(.*)\n" send_user "\n" set username $expect_out(1,string)
stty -echo send_user -- "Please enter your passwd: " expect_user -re "(.*)\n" send_user "\n" set passwd $expect_out(1,string)
set timeout -1 spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers-template} match_max 100000 expect -exact "[sudo] password for $username: " send -- "$passwd\r" expect eof
set timeout -1 spawn ssh -t $host {sudo -S rm -f /tmp/sudoers.tmp} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S echo '%tekmark_t1 ALL=(root) NOPASSWD: /sbin/service, /bin/rm, /usr/bin/du, /bin/df, /bin/ls, /usr/bin/find, /usr/sbin/tcpdump' > /tmp/sudoers.tmp} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S chmod 777 /tmp/sudoers-template} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {cat /tmp/sudoers.tmp | tee -a /tmp/sudoers-template} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {/usr/sbin/visudo -cf /tmp/sudoers-template} match_max 100000 expect eof
if { "$?" == 0 } {
set timeout -1 spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers.bak} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S cp /tmp/sudoers-template /etc/sudoers} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {sudo -S /usr/sbin/visudo -cf /etc/sudoers} match_max 100000 expect eof
set timeout -1 spawn ssh -t $host {rm -f /tmp/sudoers-template} match_max 100000 expect eof } else {
puts "Verification of sudo template failed. Aborting. Process failed"
}
Pretty simple! Got a suggestion to make this work? If I get that part right, it'll be done.
Thanks!
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Brian Mathis -
Tim Dunphy