Dave, we have to do sudo in a shell/perl scripts for certain commands. As you know sudo needs password to be supplied. sudo has -S option for stdin.
echo $pw | sudo -S command
Assume, somehow, we figure out the password and pass it in for the above echo. But, the buggest concern is, if someone does a “ps”, one will be able to see the password. The above example is part of a shell script and what we need to know is how do we hide the password?
If you’re specifically trying to accomplish this so you can work with “sudo”, then here’s some good news: sudo doesn’t actually require password entry. If you use the command visudo (on FreeBSD?, or the appropriate equivalent on your OS) to edit your sudoers file (which controls who is allowed to use the sudo command), you can add a line like the following to permit sudo usage by user ‘username’ without password entry for any command.
username ALL = NOPASSWD: ALL
Or a line like the following will allow only ‘/usr/local/bin/script.sh’ to be run with sudo by the user ‘username’ without a password.
username ALL = NOPASSWD: /usr/local/bin/script.sh
The above would be by far the most secure option, since it doesn’t require keeping a password in plain text anywhere on the system.
Alternatively, you can hide command line options like a password from ps output by inserting the value with another command using back ticks. For example, you can put the password in a file called password.txt in the user’s home directory, and instead of putting the password in the command line put in
Just make sure you chmod 700 password.txt so only that user can read the file. Oh, and I’d probably name it something less obvious too, just for insurance.
Another thought: Some operating systems have settings that only let users see their own processes in ps. FreeBSD 4.x can be set to behave in this fashion by setting sysctl kern.ps_showallprocs to 0. FreeBSD 5.x has sysctls security.bsd.see_other_uids and security.bsd.see_other_gids that can both be set to 0 for the same effect. Linux needs kernel patches to accomplish this, like grsecurity, as one example.
Note that all of these controls do not affect users with root access.
Hope you find these ideas useful!