How can I hide passwords in a shell script?
- 2
- Add a Comment
- No Related Post
We have to do sudo in a shell/perl scripts for certain commands. As you know sudo needs password to be supplied. sudo has -S option for stdin.
For example:
echo $pw | sudo -S command
Assume, somehow, we figure out the password and pass it in for the above echo. But, the buggest concern is, if someone does a “ps”, one will be able to see the password. The above example is part of a shell script and what we need to know is how do we hide the password?
If you’re specifically trying to accomplish this so you can work with “sudo”, then here’s some good news: sudo doesn’t actually require password entry. If you use the command visudo (on FreeBSD?, or the appropriate equivalent on your OS) to edit your sudoers file (which controls who is allowed to use the sudo command), you can add a line like the following to permit sudo usage by user ‘username’ without password entry for any command.
username ALL = NOPASSWD: ALL
Or a line like the following will allow…
2 Comments
Problem in using sudo - Dev Shed
October 19th, 2006
at 2:24pm
[...] Well, I found this site and this one But it still feels like you are setting yourself up to get hacked. Is this PHP script coming from the command line or on your web server? If it is from the web, perhaps you need to work on some creative CRON job running as a priviledged user. Also, search the ubuntu forums, there you can find a way to enable the root account so you can make a script run as root, but once again, you could be setting yourself up for a seriously bad day by running a script that requires root privileges from PHP, can you perhaps tell us what exactly you are trying to do? [...]
Luis
August 28th, 2007
at 3:51am
I had this problem working with controlm (a centralized scheduller), because the operators are able to see the script and also the standar output of the execution as well thru a GUI…
So I found a way to hide the password:
First, create a file with only the password in it and give restricted permisions upon it, for example, the file “.pass.txt”
And then you have to use a function to call the command, in that way, the standar output will be shown, but the command with the replaced password not. This is necessary in controlm, because a “set -x” is added to all the scripts executed, and without the function you will need the line used to execute the command with the password already relaced.
#!/bin/ksh
ecsutilexport()
{
ecs util -U emuser -P `cat .pass.txt` -export -type all
}
ecsutilexport