Hello list,
I took another stab at finding a way to add a sudo user remotely and it
gets you most of the way there. If you execute the script as root it works
beautifully and does just what you want. Which is add the user to the
group and gives that user group rights to certain commands.
But if you execute it as a user who only has sudo access to the
/etc/sudoers file it errors out.
cloud:~] bluethundr% ./add_sudo.sh
reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
ATTEMPT!
[sudo] password for bluethundr: Sorry, try again.
[sudo] password for bluethundr: Sorry, try again.
[sudo] password for bluethundr: Sorry, try again.
sudo: 3 incorrect password attempts
Connection to $host closed.
1
reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
ATTEMPT!
bash: /tmp/sudoers.tmp: Permission denied
Connection $host to closed.
1
The main problem is that the script doesn't enter the password.
I'm attempting to echo the user's sudo pass in like this:
$SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD |
$SUDO -S
$CP /etc/sudoers /tmp/sudoers-template'
(of course I'm trying it out in my own environment before I try to use it
in their environment).
Here' s the script itself, I was hoping you could offer some help here:
#!/bin/bash
SSH='/usr/bin/ssh'
ECHO='/bin/echo'
TEE='/usr/bin/tee'
SUDO='/usr/bin/sudo'
VISUDO='/usr/sbin/visudo'
CP='/bin/cp'
CAT='/bin/cat'
USER='user'
HOST='beta'
PASSWD='secret'
$SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD | $SUDO
-S
$CP /etc/sudoers /tmp/sudoers-template'
echo $?
if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD |
$SUDO
-S echo "%my_group ALL=(root) NOPASSWD: /sbin/service, /bin/rm,
/usr/bin/du, /bin/df" > /tmp/sudoers.tmp'
echo $?
if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD |
$SUDO
-S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template"
echo $?
if [ $? -eq 0 ]; then
$SSH $USER@$HOST <http://host.jokefire.com/> "$VISUDO -cf
'/tmp/sudoers-template' 2>&1 >& /dev/null"
echo $?
if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD
|
$SUDO -S $CP '/etc/$SUDOers' '/tmp/sudoers.bak'"
echo $?
if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST <http://host.jokefire.com/> "echo
$PASSWD |
$SUDO -S $CP '/tmp/$SUDOers-template' '/etc/sudoers'"
echo $?
if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST <http://host.jokefire.com/> "echo
$PASSWD |
$SUDO -S $VISUDO -cf '/etc/sudoers'"
fi
if [ $? -eq 0 ]; then
$ECHO -e "You have successfully added the user to
sudoers"
fi
fi
fi
fi
fi
fi
Thanks!
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Consider using the NOPASSWD option, on the remote systems, to allow this particular use to run this particular script. -- Mike Burger http://www.bubbanfriends.org "It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1> Hello list, > > I took another stab at finding a way to add a sudo user remotely and it > gets you most of the way there. If you execute the script as root it works > beautifully and does just what you want. Which is add the user to the > group and gives that user group rights to certain commands. > > But if you execute it as a user who only has sudo access to the > /etc/sudoers file it errors out. > > cloud:~] bluethundr% ./add_sudo.sh > reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN > ATTEMPT! > [sudo] password for bluethundr: Sorry, try again. > [sudo] password for bluethundr: Sorry, try again. > [sudo] password for bluethundr: Sorry, try again. > sudo: 3 incorrect password attempts > Connection to $host closed. > 1 > reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN > ATTEMPT! > bash: /tmp/sudoers.tmp: Permission denied > Connection $host to closed. > 1 > > The main problem is that the script doesn't enter the password. > > I'm attempting to echo the user's sudo pass in like this: > > $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD | $SUDO -S > $CP /etc/sudoers /tmp/sudoers-template' > > > (of course I'm trying it out in my own environment before I try to use it > in their environment). > > > Here' s the script itself, I was hoping you could offer some help here: > > #!/bin/bash > > SSH='/usr/bin/ssh' > ECHO='/bin/echo' > TEE='/usr/bin/tee' > SUDO='/usr/bin/sudo' > VISUDO='/usr/sbin/visudo' > CP='/bin/cp' > CAT='/bin/cat' > USER='user' > HOST='beta' > PASSWD='secret' > > > $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD | $SUDO -S > $CP /etc/sudoers /tmp/sudoers-template' > > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD | > $SUDO > -S echo "%my_group ALL=(root) NOPASSWD: /sbin/service, /bin/rm, > /usr/bin/du, /bin/df" > /tmp/sudoers.tmp' > echo $? > > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD | $SUDO > -S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template" > echo $? > > if [ $? -eq 0 ]; then > > $SSH $USER@$HOST <http://host.jokefire.com/> "$VISUDO -cf > '/tmp/sudoers-template' 2>&1 >& /dev/null" > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD | > $SUDO -S $CP '/etc/$SUDOers' '/tmp/sudoers.bak'" > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD | > $SUDO -S $CP '/tmp/$SUDOers-template' '/etc/sudoers'" > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD > | > $SUDO -S $VISUDO -cf '/etc/sudoers'" > > fi > if [ $? -eq 0 ]; then > $ECHO -e "You have successfully added the user to sudoers" > fi > fi > fi > fi > fi > fi > > > > Thanks! > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Consider using the NOPASSWD option, on the remote systems, to allow this particular use to run this particular script. -- Mike Burger http://www.bubbanfriends.org "It's always suicide-mission this, save-the-planet that. No one ever just stops by to say 'hi' anymore." --Colonel Jack O'Neill, SG1> Hello list, > > I took another stab at finding a way to add a sudo user remotely and it > gets you most of the way there. If you execute the script as root it works > beautifully and does just what you want. Which is add the user to the > group and gives that user group rights to certain commands. > > But if you execute it as a user who only has sudo access to the > /etc/sudoers file it errors out. > > cloud:~] bluethundr% ./add_sudo.sh > reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN > ATTEMPT! > [sudo] password for bluethundr: Sorry, try again. > [sudo] password for bluethundr: Sorry, try again. > [sudo] password for bluethundr: Sorry, try again. > sudo: 3 incorrect password attempts > Connection to $host closed. > 1 > reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN > ATTEMPT! > bash: /tmp/sudoers.tmp: Permission denied > Connection $host to closed. > 1 > > The main problem is that the script doesn't enter the password. > > I'm attempting to echo the user's sudo pass in like this: > > $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD | $SUDO -S > $CP /etc/sudoers /tmp/sudoers-template' > > > (of course I'm trying it out in my own environment before I try to use it > in their environment). > > > Here' s the script itself, I was hoping you could offer some help here: > > #!/bin/bash > > SSH='/usr/bin/ssh' > ECHO='/bin/echo' > TEE='/usr/bin/tee' > SUDO='/usr/bin/sudo' > VISUDO='/usr/sbin/visudo' > CP='/bin/cp' > CAT='/bin/cat' > USER='user' > HOST='beta' > PASSWD='secret' > > > $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD | $SUDO -S > $CP /etc/sudoers /tmp/sudoers-template' > > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD | > $SUDO > -S echo "%my_group ALL=(root) NOPASSWD: /sbin/service, /bin/rm, > /usr/bin/du, /bin/df" > /tmp/sudoers.tmp' > echo $? > > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD | $SUDO > -S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template" > echo $? > > if [ $? -eq 0 ]; then > > $SSH $USER@$HOST <http://host.jokefire.com/> "$VISUDO -cf > '/tmp/sudoers-template' 2>&1 >& /dev/null" > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD | > $SUDO -S $CP '/etc/$SUDOers' '/tmp/sudoers.bak'" > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD | > $SUDO -S $CP '/tmp/$SUDOers-template' '/etc/sudoers'" > echo $? > > if [ $? -eq 0 ]; then > $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo $PASSWD > | > $SUDO -S $VISUDO -cf '/etc/sudoers'" > > fi > if [ $? -eq 0 ]; then > $ECHO -e "You have successfully added the user to sudoers" > fi > fi > fi > fi > fi > fi > > > > Thanks! > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Some notes:
Every time you "echo $?", you are wiping out the return status
(because
echo returns a success and changes $? to 0), so none of your if statements
will ever catch any errors.
Consider getting rid of the 'if' subtrees by negating your condition,
which
will make it much easier to understand what's going on. Having 6 levels of
nested 'if's is a sure sign that something should be done differently.
some_command
if [[ $? -ne 0 ]]; then
exit 1
fi
Take a look at the bash PIPESTATUS variable and make sure you are checking
the return value of the command you actually want to know about.
Skip the sudoers.tmp stuff and just use the echo command to append to
sudoers-template directly with:
echo "..." >> /tmp/sudoers-template
You have a few commands that try to reference a file called "$SUDOers"
and
"$SUDOers-template", which might expand to /usr/bin/sudoers, or might
be
the literal "$SUDOers", either of which is most definitely not what
you
want.
Not sure what all that "http://host.jokefire.com" stuff is, but
you've
already specified your host in $USER@$HOST. Also, http://... makes no
sense there.
You first few $SSH lines use single quotes, so the variables inside will
never get expanded, so you'll be trying the literal '$PASSWD' as the
password.
In addition to all of that, your approach is overly complicated. Something
much more succinct should work just fine (untested general pseudo-code):
# Make temp copy to work on
if cp /etc/sudoers /tmp/sudoers.tmp; then
# If sudoers doesn't contain your line, then add it
if ! grep -q "%my_group" /etc/sudoers; then
echo "%my_group ..." >> /tmp/sudoers.tmp
fi
# Check syntax. Replace original file if OK, otherwise, exit with
error
if visudo -cf /tmp/sudoers.tmp; then
mv -f /tmp/sudoers.tmp /etc/sudoers
else
exit 1
fi
else
exit 1
fi
Since you already have access to SSH, why not copy a full script file to
the server and execute it, instead of doing each step in a separate ssh?
Like:
scp update_sudoers.sh user at host:/tmp
ssh -t user at host "echo $PASSWD | sudo -S 'bash
/tmp/update_sudoers.sh;
rm -f /tmp/update_sudoers.sh'"
That won't work if the server has /tmp mounted with the "noexec"
option,
but you get the idea.
It could also probably be converted into a (long) one-liner and executed
using a single ssh/sudo command. Just be careful about quoting.
? Brian Mathis
On Wed, Jul 17, 2013 at 7:17 PM, Tim Dunphy <bluethundr at gmail.com>
wrote:
> Hello list,
>
> I took another stab at finding a way to add a sudo user remotely and it
> gets you most of the way there. If you execute the script as root it works
> beautifully and does just what you want. Which is add the user to the
> group and gives that user group rights to certain commands.
>
> But if you execute it as a user who only has sudo access to the
> /etc/sudoers file it errors out.
>
> cloud:~] bluethundr% ./add_sudo.sh
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> [sudo] password for bluethundr: Sorry, try again.
> sudo: 3 incorrect password attempts
> Connection to $host closed.
> 1
> reverse mapping checking getaddrinfo for $host failed - POSSIBLE BREAK-IN
> ATTEMPT!
> bash: /tmp/sudoers.tmp: Permission denied
> Connection $host to closed.
> 1
>
> The main problem is that the script doesn't enter the password.
>
> I'm attempting to echo the user's sudo pass in like this:
>
> $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD |
$SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
>
> (of course I'm trying it out in my own environment before I try to use
it
> in their environment).
>
>
> Here' s the script itself, I was hoping you could offer some help here:
>
> #!/bin/bash
>
> SSH='/usr/bin/ssh'
> ECHO='/bin/echo'
> TEE='/usr/bin/tee'
> SUDO='/usr/bin/sudo'
> VISUDO='/usr/sbin/visudo'
> CP='/bin/cp'
> CAT='/bin/cat'
> USER='user'
> HOST='beta'
> PASSWD='secret'
>
>
> $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo $PASSWD |
$SUDO -S
> $CP /etc/sudoers /tmp/sudoers-template'
>
> echo $?
>
> if [ $? -eq 0 ]; then
> $SSH -t $USER@$HOST <http://host.jokefire.com/> 'echo
$PASSWD |
> $SUDO
> -S echo "%my_group ALL=(root) NOPASSWD: /sbin/service, /bin/rm,
> /usr/bin/du, /bin/df" > /tmp/sudoers.tmp'
> echo $?
>
>
> if [ $? -eq 0 ]; then
> $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo
$PASSWD | $SUDO
> -S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template"
> echo $?
>
> if [ $? -eq 0 ]; then
>
> $SSH $USER@$HOST <http://host.jokefire.com/> "$VISUDO -cf
> '/tmp/sudoers-template' 2>&1 >& /dev/null"
> echo $?
>
> if [ $? -eq 0 ]; then
> $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo
$PASSWD |
> $SUDO -S $CP '/etc/$SUDOers' '/tmp/sudoers.bak'"
> echo $?
>
> if [ $? -eq 0 ]; then
> $SSH -t $USER@$HOST <http://host.jokefire.com/> "echo
$PASSWD |
> $SUDO -S $CP '/tmp/$SUDOers-template' '/etc/sudoers'"
> echo $?
>
> if [ $? -eq 0 ]; then
> $SSH -t $USER@$HOST <http://host.jokefire.com/>
"echo $PASSWD
> |
> $SUDO -S $VISUDO -cf '/etc/sudoers'"
>
> fi
> if [ $? -eq 0 ]; then
> $ECHO -e "You have successfully added the user to
sudoers"
> fi
> fi
> fi
> fi
> fi
> fi
>
>
>
> Thanks!
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>