Sudo Add User Script

Home » CentOS » Sudo Add User Script
CentOS 3 Comments

Hello list,

I took another stab at finding a way to add a sudo user remotely and it gets you most of the way there. If you execute the script as root it works beautifully and does just what you want. Which is add the user to the group and gives that user group rights to certain commands.

But if you execute it as a user who only has sudo access to the
/etc/sudoers file it errors out.

cloud:~] bluethundr% ./add_sudo.sh reverse mapping checking getaddrinfo for $host failed – POSSIBLE BREAK-IN
ATTEMPT!
[sudo] password for bluethundr: Sorry, try again.
[sudo] password for bluethundr: Sorry, try again.
[sudo] password for bluethundr: Sorry, try again. sudo: 3 incorrect password attempts Connection to $host closed.
1
reverse mapping checking getaddrinfo for $host failed – POSSIBLE BREAK-IN
ATTEMPT!
bash: /tmp/sudoers.tmp: Permission denied Connection $host to closed.
1

The main problem is that the script doesn’t enter the password.

I’m attempting to echo the user’s sudo pass in like this:

$SSH -t $USER@$HOST ‘echo $PASSWD | $SUDO -S
$CP /etc/sudoers /tmp/sudoers-template’

(of course I’m trying it out in my own environment before I try to use it in their environment).

Here’ s the script itself, I was hoping you could offer some help here:

#!/bin/bash

SSH=’/usr/bin/ssh’
ECHO=’/bin/echo’
TEE=’/usr/bin/tee’
SUDO=’/usr/bin/sudo’
VISUDO=’/usr/sbin/visudo’
CP=’/bin/cp’
CAT=’/bin/cat’
USER=’user’
HOST=’beta’
PASSWD=’secret’

$SSH -t $USER@$HOST ‘echo $PASSWD | $SUDO -S
$CP /etc/sudoers /tmp/sudoers-template’

echo $?

if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST ‘echo $PASSWD | $SUDO
-S echo “%my_group ALL=(root) NOPASSWD: /sbin/service, /bin/rm,
/usr/bin/du, /bin/df” > /tmp/sudoers.tmp’
echo $?

if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST “echo $PASSWD | $SUDO
-S $CAT /tmp/sudoers.tmp | $TEE -a /tmp/sudoers-template”
echo $?

if [ $? -eq 0 ]; then

$SSH $USER@$HOST “$VISUDO -cf
‘/tmp/sudoers-template’ 2>&1 >& /dev/null”
echo $?

if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST “echo $PASSWD |
$SUDO -S $CP ‘/etc/$SUDOers’ ‘/tmp/sudoers.bak'”
echo $?

if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST “echo $PASSWD |
$SUDO -S $CP ‘/tmp/$SUDOers-template’ ‘/etc/sudoers'”
echo $?

if [ $? -eq 0 ]; then
$SSH -t $USER@$HOST “echo $PASSWD |
$SUDO -S $VISUDO -cf ‘/etc/sudoers'”

fi
if [ $? -eq 0 ]; then
$ECHO -e “You have successfully added the user to sudoers”
fi
fi
fi
fi
fi fi

Thanks!

3 thoughts on - Sudo Add User Script

  • Consider using the NOPASSWD option, on the remote systems, to allow this particular use to run this particular script.

  • Consider using the NOPASSWD option, on the remote systems, to allow this particular use to run this particular script.

  • Some notes:

    Every time you “echo $?”, you are wiping out the return status (because echo returns a success and changes $? to 0), so none of your if statements will ever catch any errors.

    Consider getting rid of the ‘if’ subtrees by negating your condition, which will make it much easier to understand what’s going on. Having 6 levels of nested ‘if’s is a sure sign that something should be done differently.
    some_command
    if [[ $? -ne 0 ]]; then
    exit 1
    fi

    Take a look at the bash PIPESTATUS variable and make sure you are checking the return value of the command you actually want to know about.

    Skip the sudoers.tmp stuff and just use the echo command to append to sudoers-template directly with:
    echo “…” >> /tmp/sudoers-template

    You have a few commands that try to reference a file called “$SUDOers” and
    “$SUDOers-template”, which might expand to /usr/bin/sudoers, or might be the literal “$SUDOers”, either of which is most definitely not what you want.

    Not sure what all that “http://host.jokefire.com” stuff is, but you’ve already specified your host in $USER@$HOST. Also, http://… makes no sense there.

    You first few $SSH lines use single quotes, so the variables inside will never get expanded, so you’ll be trying the literal ‘$PASSWD’ as the password.

    In addition to all of that, your approach is overly complicated. Something much more succinct should work just fine (untested general pseudo-code):

    # Make temp copy to work on
    if cp /etc/sudoers /tmp/sudoers.tmp; then
    # If sudoers doesn’t contain your line, then add it
    if ! grep -q “%my_group” /etc/sudoers; then
    echo “%my_group …” >> /tmp/sudoers.tmp
    fi
    # Check syntax. Replace original file if OK, otherwise, exit with error
    if visudo -cf /tmp/sudoers.tmp; then
    mv -f /tmp/sudoers.tmp /etc/sudoers
    else
    exit 1
    fi
    else
    exit 1
    fi

    Since you already have access to SSH, why not copy a full script file to the server and execute it, instead of doing each step in a separate ssh?
    Like:
    scp update_sudoers.sh user@host:/tmp
    SSH -t user@host “echo $PASSWD | sudo -S ‘bash /tmp/update_sudoers.sh;
    rm -f /tmp/update_sudoers.sh'”
    That won’t work if the server has /tmp mounted with the “noexec” option, but you get the idea.

    It could also probably be converted into a (long) one-liner and executed using a single ssh/sudo command. Just be careful about quoting.

    ❧ Brian Mathis

    CentOS mailing list CentOS@CentOS.org http://lists.CentOS.org/mailman/listinfo/CentOS

LEAVE A COMMENT