Hi Tim,
You seem pretty determined to make this as convoluted as possible. Adding
'expect' into the mix? Using 'tee -a' to simply append a line
to a file?
chmod 777?
If you take a look at my previous reply, you can see this is relatively
simple, and I basically wrote it for you, and even improved it to add some
checking before making the changes.
There is no need to include a password in the script, as it can be read
from the user like:
echo "Enter password"
read PASSWD
What are the issues you see with that?
? Brian Mathis
On Thu, Jul 18, 2013 at 5:37 PM, Tim Dunphy <bluethundr at gmail.com>
wrote:
> I took your suggestion and turned my (ill advised) sudoers bash script
> into an expect script! It works a lot better this way and is more secure.
> Because I'm not trying to store a password in a script (which I
recognize
> as a bad idea anyway, I I think I've learned my lesson here).
>
>
> It really works well. But the only thing I'm still trying to figure out
is
> how to put a if statement in there based on success of the last command
> ($?) before it'll move the new sudoers file in place. I'm verifying
it with
> visudo before attempting to make the move. I'd like to make the final
move
> based on the success/failure of that.
>
> Anyway, here's the script:
>
> stty -echo
> send_user -- "Please enter the host: "
> expect_user -re "(.*)\n"
> send_user "\n"
> set host $expect_out(1,string)
>
> stty -echo
> send_user -- "Please enter your username: "
> expect_user -re "(.*)\n"
> send_user "\n"
> set username $expect_out(1,string)
>
> stty -echo
> send_user -- "Please enter your passwd: "
> expect_user -re "(.*)\n"
> send_user "\n"
> set passwd $expect_out(1,string)
>
>
> set timeout -1
> spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers-template}
> match_max 100000
> expect -exact "\[sudo\] password for $username: "
> send -- "$passwd\r"
> expect eof
>
> set timeout -1
> spawn ssh -t $host {sudo -S rm -f /tmp/sudoers.tmp}
> match_max 100000
> expect eof
>
> set timeout -1
> spawn ssh -t $host {sudo -S echo '%tekmark_t1 ALL=(root) NOPASSWD:
> /sbin/service, /bin/rm, /usr/bin/du, /bin/df, /bin/ls, /usr/bin/find,
> /usr/sbin/tcpdump' > /tmp/sudoers.tmp}
> match_max 100000
> expect eof
>
> set timeout -1
> spawn ssh -t $host {sudo -S chmod 777 /tmp/sudoers-template}
> match_max 100000
> expect eof
>
> set timeout -1
> spawn ssh -t $host {cat /tmp/sudoers.tmp | tee -a /tmp/sudoers-template}
> match_max 100000
> expect eof
>
> set timeout -1
> spawn ssh -t $host {/usr/sbin/visudo -cf /tmp/sudoers-template}
> match_max 100000
> expect eof
>
> if { "$?" == 0 } {
>
> set timeout -1
> spawn ssh -t $host {sudo -S cp /etc/sudoers /tmp/sudoers.bak}
> match_max 100000
> expect eof
>
> set timeout -1
> spawn ssh -t $host {sudo -S cp /tmp/sudoers-template /etc/sudoers}
> match_max 100000
> expect eof
>
> set timeout -1
> spawn ssh -t $host {sudo -S /usr/sbin/visudo -cf /etc/sudoers}
> match_max 100000
> expect eof
>
> set timeout -1
> spawn ssh -t $host {rm -f /tmp/sudoers-template}
> match_max 100000
> expect eof
> } else {
>
> puts "Verification of sudo template failed. Aborting. Process
failed"
>
> }
>
>
> Pretty simple! Got a suggestion to make this work? If I get that part
> right, it'll be done.
>
>
> Thanks!
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>