The -S option for 'sudo' is confusing the heck out of me. I want to launch an interactive root shell using an admin password from stdin instead of the console. In other words, I wish to do "sudo su" with the password coming from stdin instead of having to type it.
I though that 'echo "password" | sudo -S su' would do it. I tried using 'bash' instead of 'su'. In both cases, I get the following:
[code]SB-1:~ ailv$ echo "passwordhere" | sudo -S su
Password:
SB-1:~ ailv$[code]
However, at that point it seems that the "sudo timer" has started, because if I then do 'sudo su' with no password info I get a root shell. So I'm successfully authenticating, but I'm not executing the specified command the way I thought I would.
What am I missing? I suppose I can just do this with two commands, but I'd like to understand how the -S option is supposed to work.
hayne
08-23-2005, 05:24 PM
1) I think what you are seeing is that the command 'su' is taking its input from stdin and hence the shell exits when it gets to the end of input (from the piped in stdin).
2) I'm not sure what you are trying to do, but you should be aware that if you have a script that inputs the password via stdin as part of the script, then the password will show up in a 'ps -auxww' so any user on the machine can see it.
giskard22
08-23-2005, 07:33 PM
The problem is that I need a RealBasic (ick, I know) application to launch a root shell. RB provides no access to the OS X authentication functions. So I either need to launch the entire application as root, or I need to get an admin password and use sudo.
I ended up finding a way to have RB type the password the user enters at the sudo prompt, so I don't actually have to use the -S option.
For curiosity's sake though: I was getting desperate, and I was going to write the password to a file, do 'cat passwordfile | sudo -S su', then immediately 'srm' the file. Would that have exposed the password to the 'ps' command?
hayne
08-23-2005, 07:49 PM
I was going to write the password to a file, do 'cat passwordfile | sudo -S su', then immediately 'srm' the file. Would that have exposed the password to the 'ps' command?
While the password wouldn't show up in the output from 'ps', you would still be creating a security hole since that password file would exist for a short period of time and a malicious user could write a script to grab the file in the short interval before you removed it.
giskard22
08-23-2005, 07:52 PM
Yeah, that's why I was glad to find the other way. :)
RealBasic has some pretty annoying issues, but it really does let you create a relatively complicated program easily.
TOP
