|
|
How can I hide passwords in a shell script?Dave, we have to do sudo in a shell/perl scripts for certain commands. As you know sudo needs password to be supplied. sudo has -S option for stdin. For example: echo $pw | sudo -S command Assume, somehow, we figure out the password and pass it in for the above echo. But, the buggest concern is, if someone does a "ps", one will be able to see the password. The above example is part of a shell script and what we need to know is how do we hide the password? If you're specifically trying to accomplish this so you can work with "sudo", then here's some good news: sudo doesn't actually require password entry. If you use the command visudo (on FreeBSD?, or the appropriate equivalent on your OS) to edit your sudoers file (which controls who is allowed to use the sudo command), you can add a line like the following to permit sudo usage by user 'username' without password entry for any command. username ALL = NOPASSWD: ALL Or a line like the following will allow only '/usr/local/bin/script.sh' to be run with sudo by the user 'username' without a password. username ALL = NOPASSWD: /usr/local/bin/script.sh The above would be by far the most secure option, since it doesn't require keeping a password in plain text anywhere on the system. Alternatively, you can hide command line options like a password from ps output by inserting the value with another command using back ticks. For example, you can put the password in a file called password.txt in the user's home directory, and instead of putting the password in the command line put in `cat /home/username/password.txt` Just make sure you chmod 700 password.txt so only that user can read the file. Oh, and I'd probably name it something less obvious too, just for insurance. Another thought: Some operating systems have settings that only let users see their own processes in ps. FreeBSD 4.x can be set to behave in this fashion by setting sysctl kern.ps_showallprocs to 0. FreeBSD 5.x has sysctls security.bsd.see_other_uids and security.bsd.see_other_gids that can both be set to 0 for the same effect. Linux needs kernel patches to accomplish this, like grsecurity, as one example. Note that all of these controls do not affect users with root access. Hope you find these ideas useful! My thanks to Chris Buechler for his aid with this question.
More Useful Unix and Linux Help Articles:
✔ Copy and Paste from the Mac OS X Command Line?
I am constantly running commands in Terminal.app on my MacBook and then copying and pasting the results into email messages or documents. Yes,...
✔ Shell script to convert lowercase to title case?As part of a project I'm working on, I find myself deep in a Linux shell script, needing to have a subroutine that...
✔ Can I script renaming files based on an XML data map?I have a folder full of files which are named with four digits and a file extension e.g. 0312.file and an XML-file describing...
✔ Test for valid numbers in a Bash shell script?In a different discussion on this site [see Redirecting input in a shell script] a visitor commented that "I was too busy trying...
✔ Review: iSSH for the iPad/iPhoneIf you're running an online business like I am, there are times when you need to connect and log in to the server...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help
right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
Categorized:
Unix and Linux Help
(Article 3987,
Written by Dave Taylor)
Tagged: Previous: Microsoft Internet Explorer IE6 can't search from address bar? Next: Saving Email Addresses in Microsoft Outlook Express? Reader Comments To Date: 11Mike said, on May 24, 2005 9:29 AM:
At www.linuxsecurity.com you may check out an article on the generic shell script compiler (www.datsi.fi.upm.es/~frosal/; hope this contains no typo; anyway the tool is also listed as shc at osx.hyperjeff.net/apps). Fazil said, on February 7, 2007 11:41 PM:
Dave, I'm using HP-UX machine and UNIX shell script. I developed 1 script using sql SYBASE (korn shell) and put into crontab. how I want to hide the password in my script ? karthick said, on February 16, 2007 1:28 AM:
Hi,
Thanks Tejas J Raval said, on July 15, 2009 11:18 PM:
Hello dave, I'm using solaris machine and UNIX shell script. how I want to hide the password in my script ? Thanks & Regards, Tejas Forest Bond said, on February 23, 2010 11:25 AM:
Using back ticks won't hide your password any more than using a shell variable. In either case, the shell performs substitution on the command line and then executes "echo mypassword". Dave Taylor said, on February 23, 2010 11:31 AM:
Tru 'nuf, Forest. The reality is that there's no way to really hide the password unless you can encrypt it and leave it encrypted, but I haven't seen any apps that will let you feed it a pre-encrypted PW and if it did, well, that would leave a backdoor anyway. We need biometrics. :-) Vadivel said, on June 2, 2010 3:17 AM:
Hi, Thanks, Gerson Lopez said, on December 3, 2010 1:14 PM:
Hello Dave I am working on debian 5.0 I want get and put with sftp, how I can do to hide the password of this script Thank #!/usr/bin/expect Mac said, on July 11, 2011 7:22 PM:
Hi Thank you. Ron Betts said, on December 7, 2011 4:55 PM:
thanks for all the contributions. i noticed a few will work, but any that set a variable (even the `cat password.txt` example would still show password (as Forest Bond pointed out). i have a similar issue: set password for shared database user, but when running a trace (think debug) env variables are dumped too. anybody who runs application as that user now has password.
I do have a comment, now that you mention it!Check This Out Too... |
Recent Entries
Look for Answers
Recommended
All Our Categories
Apple iPad Help
Articles and Reviews Auctions and Online Shopping Blogs and Blogging Building Web Site Traffic Business and Management Computer and Internet Basics d) None of the Above Facebook Help Google Gmail Help Google Plus Help HTML, JavaScript and Web Site Programming Industry News and Trade Shows iPhone and Cell Phone Help iPod, Sony PSP and MP3 Player Help Kindle Fire Help Mac OS X Help Pay Per Click (PPC) Advertising Pinterest Help Search Engine Optimization (SEO) Shell Script Programming Tech Support Video Help The Writing Business Twitter, LinkedIn and Social Network Help Unix and Linux Help Video Game Tips and Help Windows PC Help Find Me on Google+ ADT on G+ |
Another trick you can do is like the old cobalt Raq servers. Create a 'super-secret-hidden-file' whose entire contents are the password and then do
cat super-secret-hidden-file | sudo -S command
The sudo trick mentioned above is better than this though.
Here are two alternate ideas that let you do what you want but also give you the flexibility of running the task on other computers:
You can consider using SSH. If you are logged in as a non-root user and you want to run a command as root (or any other user) without entering a password you can set up public key encryption using SSH and then just do this:
ssh root@computername command
My personal favorite is to create a cron job that runs every minute and watches a particular folder for a file. Your script can run as an unpriveledged user and simply do
touch watched-folder/file.txt
Then, your cron job should check if this file exists and if so, carry out the predetermined task and delete the temporary file. This is great for running tasks as root on the same computer or for running privileged or un-privileged tasks on another computer.
I use it to run batch tasks on different machines. All I need to do is copy (or scp) a log file to the waiting computer. It will detect the presence of this new file and then begin processing the log.