How to enter password only once in a bash script needing sudo

Data

I want operator users on this machine to mount their own cifs shares

The sudoers file already contains the /bin/mount -t cifs //*/* /media/* -o username=* command for all operators

I want the users to mount a cifs share through a script typing the password only once, not twice.

The sudo password and the cifs password are identical.

What I already have

This script works:

#!/bin/bash

sudo 'mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but it requires the users to type the same password twice!

Once for sudo

Once for the mount itself

This would also work:

#!/bin/bash

echo -n Password: 

read -s szPassword

echo $szPassword | sudo -S sh -c 'echo $szPassword | mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but this would require me to allow all operator users to be able to sudo sh (major security problem)

Question

How to mount a cifs share in bash¹ without putting sh in the sudoers file nor creating a permanent/temporary file???

_{Note 1: no python, perl, C, Go, ... please?}
_{Note 2: I know I can just remove the password through the sudoers file, but I'm trying to tighten security, not loosen it, without giving up convenience...}

edited Dec 21 at 8:05

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

2

How about printf "%sn" "$szPassword" "$szPassword" | sudo -S mount -t cifs / ...?
– muru
Dec 20 '15 at 14:48

Trying that now! @Muru
– Fabby
Dec 20 '15 at 15:03

add a comment |

Data

I want operator users on this machine to mount their own cifs shares

The sudoers file already contains the /bin/mount -t cifs //*/* /media/* -o username=* command for all operators

I want the users to mount a cifs share through a script typing the password only once, not twice.

The sudo password and the cifs password are identical.

What I already have

This script works:

#!/bin/bash

sudo 'mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but it requires the users to type the same password twice!

Once for sudo

Once for the mount itself

This would also work:

#!/bin/bash

echo -n Password: 

read -s szPassword

echo $szPassword | sudo -S sh -c 'echo $szPassword | mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but this would require me to allow all operator users to be able to sudo sh (major security problem)

Question

How to mount a cifs share in bash¹ without putting sh in the sudoers file nor creating a permanent/temporary file???

edited Dec 21 at 8:05

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

2

How about printf "%sn" "$szPassword" "$szPassword" | sudo -S mount -t cifs / ...?
– muru
Dec 20 '15 at 14:48

Trying that now! @Muru
– Fabby
Dec 20 '15 at 15:03

add a comment |

Data

I want operator users on this machine to mount their own cifs shares

The sudoers file already contains the /bin/mount -t cifs //*/* /media/* -o username=* command for all operators

I want the users to mount a cifs share through a script typing the password only once, not twice.

The sudo password and the cifs password are identical.

What I already have

This script works:

#!/bin/bash

sudo 'mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but it requires the users to type the same password twice!

Once for sudo

Once for the mount itself

This would also work:

#!/bin/bash

echo -n Password: 

read -s szPassword

echo $szPassword | sudo -S sh -c 'echo $szPassword | mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but this would require me to allow all operator users to be able to sudo sh (major security problem)

Question

How to mount a cifs share in bash¹ without putting sh in the sudoers file nor creating a permanent/temporary file???

edited Dec 21 at 8:05

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

Data

I want operator users on this machine to mount their own cifs shares

The sudoers file already contains the /bin/mount -t cifs //*/* /media/* -o username=* command for all operators

I want the users to mount a cifs share through a script typing the password only once, not twice.

The sudo password and the cifs password are identical.

What I already have

This script works:

#!/bin/bash

sudo 'mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but it requires the users to type the same password twice!

Once for sudo

Once for the mount itself

This would also work:

#!/bin/bash

echo -n Password: 

read -s szPassword

echo $szPassword | sudo -S sh -c 'echo $szPassword | mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER'

...but this would require me to allow all operator users to be able to sudo sh (major security problem)

Question

How to mount a cifs share in bash¹ without putting sh in the sudoers file nor creating a permanent/temporary file???

bash scripts sudo

edited Dec 21 at 8:05

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

edited Dec 21 at 8:05

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

edited Dec 21 at 8:05

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

asked Dec 20 '15 at 14:43

Fabby

26.4k1360159

2

How about printf "%sn" "$szPassword" "$szPassword" | sudo -S mount -t cifs / ...?
– muru
Dec 20 '15 at 14:48

Trying that now! @Muru
– Fabby
Dec 20 '15 at 15:03

add a comment |

2

How about printf "%sn" "$szPassword" "$szPassword" | sudo -S mount -t cifs / ...?
– muru
Dec 20 '15 at 14:48

Trying that now! @Muru
– Fabby
Dec 20 '15 at 15:03

How about printf "%sn" "$szPassword" "$szPassword" | sudo -S mount -t cifs / ...?
– muru
Dec 20 '15 at 14:48

Trying that now! @Muru
– Fabby
Dec 20 '15 at 15:03

add a comment |

4 Answers
4

active

oldest

votes

You should instead make the user do the call of using sudo as sudo script. just check if the script is being run as root, if not ask for it

if [[ $EUID -ne 0 ]]; then

   echo "This script must be run as root, use sudo "$0" instead" 1>&2

   exit 1

fi

Don't try to capture the password of your users.

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

1

Perhaps I'm missing something, but can you explain how this reduces the number of password prompts from two to one? Otherwise I don't see how this answers the question.
– Oliphaunt
Dec 21 '15 at 11:36

@Oliphaunt I don't see two password prompts, can you explain that? Also, this answer is not what OP wants, but what it needs. Is clean and proper solution when you need to run commands as root, and how other utilities do (check if root, otherwise bail out)
– Braiam
Dec 21 '15 at 14:08

1

The OP's problem (as I understand it) is that the user is prompted for their password by sudo and then (upon succesfully authenticating) again by mount. In their use case, these passwords are identical so I can see why the OP would like the user to only have to enter this password once. I don't believe your solution helps with this. I do agree that one shouldn't capture passwords.
– Oliphaunt
Dec 21 '15 at 14:19

Thanks, but I might have oversimplified the question a bit: It is a script already, already contains that test (except the 1>&2), is in the autostart and it used to be just one cifs share, but now it's three, so really one password is needed. (It already contains that test in case someone else, not member of the operators group, tries to run it)
– Fabby
Dec 21 '15 at 17:40

@Fabby I still think you are approaching the problem incorrectly. For these cases there are helper to "remember" the password of a CIFS/SMB share securely (editing ~/.smbcredentials for example), and even without the need of sudo (if you use gvfs, umount or polkit).
– Braiam
Dec 21 '15 at 18:10

|
show 1 more comment

I'm dumb!

The following script:

#!/bin/bash

read -p "Password: " -s szPassword

printf "%sn" "$szPassword" | sudo --stdin mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER,password="$szPassword"

just works and:

Doesn't create any files containing passwords

Allows the user to type only one password for multiple shares (including Windows ones)

Has no need for extra privileges to be granted. :-)

edited Mar 6 '16 at 11:56

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

1

1 question: does that echo the command into the process list?
– Rinzwind
Dec 20 '15 at 15:40

3

@Rinzwind as a built-in, it shouldn't in bash or zsh. The mount command could, though.
– muru
Dec 20 '15 at 16:06

<<< could also be used instead of printf , but better approach would be to drop read altogether and just use sudo --stdin all by itself. Something like $ printf "Type out your passwordn" && sudo --stdin apt-get update User still can type in the sudo password. and that won't put it into process list. But of course there's infinite amount of possible other security issues, like keyloggers, potential vulnerabilities in sudo, and blah, and blah, and blah into infinity
– Sergiy Kolodyazhnyy
Jul 13 '17 at 7:55

@SergiyKolodyazhnyy: Feel free to edit, man!
– Fabby
Jul 15 '17 at 20:46

add a comment |

Require no sudo password for executing this command; the password prompt for mount remains.

In sudoers, include something like

ALL        ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

After including this, sudo will no longer ask for a password for this specific command; the user still needs to provide a password to the mount command.

Note: I took the command verbatim from what you included in the question; I didn't check whether its wildcards would allow for users to do something nasty. Read the sudoers manpage for examples of nastiness. In particular, note that this line in sudoers allows the user to add any number of -o switches or other arguments to mount. You may want to rethink your approach, e.g. by adding a script such as @Braiam proposes and allow running that through sudo without extra authentication. The script then ensures that users can only run the specific form of mount that you want them to run.

Also, instead of allowing this for all users, you could also limit this to members of a certain group, e.g. you could create a group cifsmount and then have

%cifsmount ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

edited Dec 21 '15 at 14:34

answered Dec 20 '15 at 17:42

Oliphaunt

1476

@Fabby Sorry, but what's so dangerous about this? Also I may be detecting a hint of sarcasm, not sure.
– Oliphaunt
Dec 20 '15 at 20:50

well, even if sudo doesn't require a password, mount might still require a password. The /etc/sudoers file could be used to just make sudo not require a password. That wouldn't affect whether mount asks for a password. If a person failed to mount, then sudo would just end up running a command that fails, which is likely not a problem.
– TOOGAM
Dec 21 '15 at 8:49

@TOOGAM That was my intention. One password instead of two.
– Oliphaunt
Dec 21 '15 at 9:09

My intention is to keep one "operator" group in the sudoers file so if an operator tries to mount its own stuff, they still have to type a password, but to mount the "standard" operator mounts, they only have to type the password once instead of 5 times... But your solution might work for others, so upvoted... (and original comments removed)
– Fabby
Dec 21 '15 at 17:07

add a comment |

A general solution to these issues is to put the following preamble at the top of your sudo requiring scripts:

#!/bin/bash

case $EUID in

   0) : cool we are already root - fall through ;;

   *) # not root, become root for the rest of this session

      # (and ask for the sudo password only once)

      sudo $0 "$@" ;;

esac

# now the present process is effective-UID  (root)

# so there's no need to put sudo in front of commands



any more commands here will run as superuser ...

Obviously, this has a downside in that if some commands in the script don't require sudo to run, there's an unnecessary elevation of privileges here.

Anyway, thought I would share this little tip. The nicest thing about it, is that if you're already effective-uid root (e.g. if you already called it under sudo) it gracefully does the right thing. Also giving an error and forcing you to retype/rerun (with sudo) is less friendly.

You may also want to check out the timestamp_timeout variable in man 5 sudoers which tells sudo to remember user credentials for a limited number of minutes (and can be fractional).

edited Dec 26 '15 at 9:11

answered Dec 26 '15 at 3:05

arielf

1,86321230

I oversimplified the script to get an easy answer: the script already contains: #test if root: if not: bail out if [[ $EUID -ne 0 ]]; then echo "This script must be run as root, use sudo "$0" instead" 1>&2 exit 1 fi The point is that it also contains multiple mounts all with the same password (again: removed), but thanks anyway...
– Fabby
Dec 26 '15 at 8:18

1

The point is that the solution above would require only one typing of the password (for sudo). It shouldn't require any other. Plus it is a general (and more elegant than giving an error and having to retype the command with sudo) for all similar issues, even when they require multiple (more than two) privileged commands.
– arielf
Dec 26 '15 at 9:19

It should but it doesn't! ;-) That's because each cifs share mount requires a password as well. (as it can be different from the Ubuntu password, but in this case isn't as the operators keep their Windows and Ubuntu passwords synchronised)
– Fabby
Dec 26 '15 at 9:23

add a comment |

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f711580%2fhow-to-enter-password-only-once-in-a-bash-script-needing-sudo%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

4 Answers
4

active

oldest

votes

4 Answers
4

active

oldest

votes

You should instead make the user do the call of using sudo as sudo script. just check if the script is being run as root, if not ask for it

if [[ $EUID -ne 0 ]]; then

   echo "This script must be run as root, use sudo "$0" instead" 1>&2

   exit 1

fi

Don't try to capture the password of your users.

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

1

Perhaps I'm missing something, but can you explain how this reduces the number of password prompts from two to one? Otherwise I don't see how this answers the question.
– Oliphaunt
Dec 21 '15 at 11:36

@Oliphaunt I don't see two password prompts, can you explain that? Also, this answer is not what OP wants, but what it needs. Is clean and proper solution when you need to run commands as root, and how other utilities do (check if root, otherwise bail out)
– Braiam
Dec 21 '15 at 14:08

1

The OP's problem (as I understand it) is that the user is prompted for their password by sudo and then (upon succesfully authenticating) again by mount. In their use case, these passwords are identical so I can see why the OP would like the user to only have to enter this password once. I don't believe your solution helps with this. I do agree that one shouldn't capture passwords.
– Oliphaunt
Dec 21 '15 at 14:19

Thanks, but I might have oversimplified the question a bit: It is a script already, already contains that test (except the 1>&2), is in the autostart and it used to be just one cifs share, but now it's three, so really one password is needed. (It already contains that test in case someone else, not member of the operators group, tries to run it)
– Fabby
Dec 21 '15 at 17:40

@Fabby I still think you are approaching the problem incorrectly. For these cases there are helper to "remember" the password of a CIFS/SMB share securely (editing ~/.smbcredentials for example), and even without the need of sudo (if you use gvfs, umount or polkit).
– Braiam
Dec 21 '15 at 18:10

|
show 1 more comment

You should instead make the user do the call of using sudo as sudo script. just check if the script is being run as root, if not ask for it

if [[ $EUID -ne 0 ]]; then

   echo "This script must be run as root, use sudo "$0" instead" 1>&2

   exit 1

fi

Don't try to capture the password of your users.

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

1

Perhaps I'm missing something, but can you explain how this reduces the number of password prompts from two to one? Otherwise I don't see how this answers the question.
– Oliphaunt
Dec 21 '15 at 11:36

@Oliphaunt I don't see two password prompts, can you explain that? Also, this answer is not what OP wants, but what it needs. Is clean and proper solution when you need to run commands as root, and how other utilities do (check if root, otherwise bail out)
– Braiam
Dec 21 '15 at 14:08

1

The OP's problem (as I understand it) is that the user is prompted for their password by sudo and then (upon succesfully authenticating) again by mount. In their use case, these passwords are identical so I can see why the OP would like the user to only have to enter this password once. I don't believe your solution helps with this. I do agree that one shouldn't capture passwords.
– Oliphaunt
Dec 21 '15 at 14:19

Thanks, but I might have oversimplified the question a bit: It is a script already, already contains that test (except the 1>&2), is in the autostart and it used to be just one cifs share, but now it's three, so really one password is needed. (It already contains that test in case someone else, not member of the operators group, tries to run it)
– Fabby
Dec 21 '15 at 17:40

@Fabby I still think you are approaching the problem incorrectly. For these cases there are helper to "remember" the password of a CIFS/SMB share securely (editing ~/.smbcredentials for example), and even without the need of sudo (if you use gvfs, umount or polkit).
– Braiam
Dec 21 '15 at 18:10

|
show 1 more comment

You should instead make the user do the call of using sudo as sudo script. just check if the script is being run as root, if not ask for it

if [[ $EUID -ne 0 ]]; then

   echo "This script must be run as root, use sudo "$0" instead" 1>&2

   exit 1

fi

Don't try to capture the password of your users.

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

You should instead make the user do the call of using sudo as sudo script. just check if the script is being run as root, if not ask for it

if [[ $EUID -ne 0 ]]; then

   echo "This script must be run as root, use sudo "$0" instead" 1>&2

   exit 1

fi

Don't try to capture the password of your users.

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

answered Dec 20 '15 at 22:11

Braiam

51.3k20136219

1

Perhaps I'm missing something, but can you explain how this reduces the number of password prompts from two to one? Otherwise I don't see how this answers the question.
– Oliphaunt
Dec 21 '15 at 11:36

@Oliphaunt I don't see two password prompts, can you explain that? Also, this answer is not what OP wants, but what it needs. Is clean and proper solution when you need to run commands as root, and how other utilities do (check if root, otherwise bail out)
– Braiam
Dec 21 '15 at 14:08

1

The OP's problem (as I understand it) is that the user is prompted for their password by sudo and then (upon succesfully authenticating) again by mount. In their use case, these passwords are identical so I can see why the OP would like the user to only have to enter this password once. I don't believe your solution helps with this. I do agree that one shouldn't capture passwords.
– Oliphaunt
Dec 21 '15 at 14:19

Thanks, but I might have oversimplified the question a bit: It is a script already, already contains that test (except the 1>&2), is in the autostart and it used to be just one cifs share, but now it's three, so really one password is needed. (It already contains that test in case someone else, not member of the operators group, tries to run it)
– Fabby
Dec 21 '15 at 17:40

@Fabby I still think you are approaching the problem incorrectly. For these cases there are helper to "remember" the password of a CIFS/SMB share securely (editing ~/.smbcredentials for example), and even without the need of sudo (if you use gvfs, umount or polkit).
– Braiam
Dec 21 '15 at 18:10

|
show 1 more comment

1

Perhaps I'm missing something, but can you explain how this reduces the number of password prompts from two to one? Otherwise I don't see how this answers the question.
– Oliphaunt
Dec 21 '15 at 11:36

@Oliphaunt I don't see two password prompts, can you explain that? Also, this answer is not what OP wants, but what it needs. Is clean and proper solution when you need to run commands as root, and how other utilities do (check if root, otherwise bail out)
– Braiam
Dec 21 '15 at 14:08

1

The OP's problem (as I understand it) is that the user is prompted for their password by sudo and then (upon succesfully authenticating) again by mount. In their use case, these passwords are identical so I can see why the OP would like the user to only have to enter this password once. I don't believe your solution helps with this. I do agree that one shouldn't capture passwords.
– Oliphaunt
Dec 21 '15 at 14:19

Thanks, but I might have oversimplified the question a bit: It is a script already, already contains that test (except the 1>&2), is in the autostart and it used to be just one cifs share, but now it's three, so really one password is needed. (It already contains that test in case someone else, not member of the operators group, tries to run it)
– Fabby
Dec 21 '15 at 17:40

@Fabby I still think you are approaching the problem incorrectly. For these cases there are helper to "remember" the password of a CIFS/SMB share securely (editing ~/.smbcredentials for example), and even without the need of sudo (if you use gvfs, umount or polkit).
– Braiam
Dec 21 '15 at 18:10

Perhaps I'm missing something, but can you explain how this reduces the number of password prompts from two to one? Otherwise I don't see how this answers the question.
– Oliphaunt
Dec 21 '15 at 11:36

@Oliphaunt I don't see two password prompts, can you explain that? Also, this answer is not what OP wants, but what it needs. Is clean and proper solution when you need to run commands as root, and how other utilities do (check if root, otherwise bail out)
– Braiam
Dec 21 '15 at 14:08

The OP's problem (as I understand it) is that the user is prompted for their password by sudo and then (upon succesfully authenticating) again by mount. In their use case, these passwords are identical so I can see why the OP would like the user to only have to enter this password once. I don't believe your solution helps with this. I do agree that one shouldn't capture passwords.
– Oliphaunt
Dec 21 '15 at 14:19

Thanks, but I might have oversimplified the question a bit: It is a script already, already contains that test (except the 1>&2), is in the autostart and it used to be just one cifs share, but now it's three, so really one password is needed. (It already contains that test in case someone else, not member of the operators group, tries to run it)
– Fabby
Dec 21 '15 at 17:40

@Fabby I still think you are approaching the problem incorrectly. For these cases there are helper to "remember" the password of a CIFS/SMB share securely (editing ~/.smbcredentials for example), and even without the need of sudo (if you use gvfs, umount or polkit).
– Braiam
Dec 21 '15 at 18:10

|
show 1 more comment

I'm dumb!

The following script:

#!/bin/bash

read -p "Password: " -s szPassword

printf "%sn" "$szPassword" | sudo --stdin mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER,password="$szPassword"

just works and:

Doesn't create any files containing passwords

Allows the user to type only one password for multiple shares (including Windows ones)

Has no need for extra privileges to be granted. :-)

edited Mar 6 '16 at 11:56

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

1

1 question: does that echo the command into the process list?
– Rinzwind
Dec 20 '15 at 15:40

3

@Rinzwind as a built-in, it shouldn't in bash or zsh. The mount command could, though.
– muru
Dec 20 '15 at 16:06

<<< could also be used instead of printf , but better approach would be to drop read altogether and just use sudo --stdin all by itself. Something like $ printf "Type out your passwordn" && sudo --stdin apt-get update User still can type in the sudo password. and that won't put it into process list. But of course there's infinite amount of possible other security issues, like keyloggers, potential vulnerabilities in sudo, and blah, and blah, and blah into infinity
– Sergiy Kolodyazhnyy
Jul 13 '17 at 7:55

@SergiyKolodyazhnyy: Feel free to edit, man!
– Fabby
Jul 15 '17 at 20:46

add a comment |

I'm dumb!

The following script:

#!/bin/bash

read -p "Password: " -s szPassword

printf "%sn" "$szPassword" | sudo --stdin mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER,password="$szPassword"

just works and:

Doesn't create any files containing passwords

Allows the user to type only one password for multiple shares (including Windows ones)

Has no need for extra privileges to be granted. :-)

edited Mar 6 '16 at 11:56

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

1

1 question: does that echo the command into the process list?
– Rinzwind
Dec 20 '15 at 15:40

3

@Rinzwind as a built-in, it shouldn't in bash or zsh. The mount command could, though.
– muru
Dec 20 '15 at 16:06

<<< could also be used instead of printf , but better approach would be to drop read altogether and just use sudo --stdin all by itself. Something like $ printf "Type out your passwordn" && sudo --stdin apt-get update User still can type in the sudo password. and that won't put it into process list. But of course there's infinite amount of possible other security issues, like keyloggers, potential vulnerabilities in sudo, and blah, and blah, and blah into infinity
– Sergiy Kolodyazhnyy
Jul 13 '17 at 7:55

@SergiyKolodyazhnyy: Feel free to edit, man!
– Fabby
Jul 15 '17 at 20:46

add a comment |

I'm dumb!

The following script:

#!/bin/bash

read -p "Password: " -s szPassword

printf "%sn" "$szPassword" | sudo --stdin mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER,password="$szPassword"

just works and:

Doesn't create any files containing passwords

Allows the user to type only one password for multiple shares (including Windows ones)

Has no need for extra privileges to be granted. :-)

edited Mar 6 '16 at 11:56

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

I'm dumb!

The following script:

#!/bin/bash

read -p "Password: " -s szPassword

printf "%sn" "$szPassword" | sudo --stdin mount -t cifs //192.168.1.1/home /media/$USER/home -o username=$USER,password="$szPassword"

just works and:

Doesn't create any files containing passwords

Allows the user to type only one password for multiple shares (including Windows ones)

Has no need for extra privileges to be granted. :-)

edited Mar 6 '16 at 11:56

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

edited Mar 6 '16 at 11:56

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

answered Dec 20 '15 at 15:16

Fabby

26.4k1360159

1

1 question: does that echo the command into the process list?
– Rinzwind
Dec 20 '15 at 15:40

3

@Rinzwind as a built-in, it shouldn't in bash or zsh. The mount command could, though.
– muru
Dec 20 '15 at 16:06

<<< could also be used instead of printf , but better approach would be to drop read altogether and just use sudo --stdin all by itself. Something like $ printf "Type out your passwordn" && sudo --stdin apt-get update User still can type in the sudo password. and that won't put it into process list. But of course there's infinite amount of possible other security issues, like keyloggers, potential vulnerabilities in sudo, and blah, and blah, and blah into infinity
– Sergiy Kolodyazhnyy
Jul 13 '17 at 7:55

@SergiyKolodyazhnyy: Feel free to edit, man!
– Fabby
Jul 15 '17 at 20:46

add a comment |

1

1 question: does that echo the command into the process list?
– Rinzwind
Dec 20 '15 at 15:40

3

@Rinzwind as a built-in, it shouldn't in bash or zsh. The mount command could, though.
– muru
Dec 20 '15 at 16:06

<<< could also be used instead of printf , but better approach would be to drop read altogether and just use sudo --stdin all by itself. Something like $ printf "Type out your passwordn" && sudo --stdin apt-get update User still can type in the sudo password. and that won't put it into process list. But of course there's infinite amount of possible other security issues, like keyloggers, potential vulnerabilities in sudo, and blah, and blah, and blah into infinity
– Sergiy Kolodyazhnyy
Jul 13 '17 at 7:55

@SergiyKolodyazhnyy: Feel free to edit, man!
– Fabby
Jul 15 '17 at 20:46

1 question: does that echo the command into the process list?
– Rinzwind
Dec 20 '15 at 15:40

@Rinzwind as a built-in, it shouldn't in bash or zsh. The mount command could, though.
– muru
Dec 20 '15 at 16:06

<<< could also be used instead of printf , but better approach would be to drop read altogether and just use sudo --stdin all by itself. Something like $ printf "Type out your passwordn" && sudo --stdin apt-get update User still can type in the sudo password. and that won't put it into process list. But of course there's infinite amount of possible other security issues, like keyloggers, potential vulnerabilities in sudo, and blah, and blah, and blah into infinity
– Sergiy Kolodyazhnyy
Jul 13 '17 at 7:55

@SergiyKolodyazhnyy: Feel free to edit, man!
– Fabby
Jul 15 '17 at 20:46

add a comment |

Require no sudo password for executing this command; the password prompt for mount remains.

In sudoers, include something like

ALL        ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

After including this, sudo will no longer ask for a password for this specific command; the user still needs to provide a password to the mount command.

Also, instead of allowing this for all users, you could also limit this to members of a certain group, e.g. you could create a group cifsmount and then have

%cifsmount ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

edited Dec 21 '15 at 14:34

answered Dec 20 '15 at 17:42

Oliphaunt

1476

@Fabby Sorry, but what's so dangerous about this? Also I may be detecting a hint of sarcasm, not sure.
– Oliphaunt
Dec 20 '15 at 20:50

well, even if sudo doesn't require a password, mount might still require a password. The /etc/sudoers file could be used to just make sudo not require a password. That wouldn't affect whether mount asks for a password. If a person failed to mount, then sudo would just end up running a command that fails, which is likely not a problem.
– TOOGAM
Dec 21 '15 at 8:49

@TOOGAM That was my intention. One password instead of two.
– Oliphaunt
Dec 21 '15 at 9:09

My intention is to keep one "operator" group in the sudoers file so if an operator tries to mount its own stuff, they still have to type a password, but to mount the "standard" operator mounts, they only have to type the password once instead of 5 times... But your solution might work for others, so upvoted... (and original comments removed)
– Fabby
Dec 21 '15 at 17:07

add a comment |

Require no sudo password for executing this command; the password prompt for mount remains.

In sudoers, include something like

ALL        ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

After including this, sudo will no longer ask for a password for this specific command; the user still needs to provide a password to the mount command.

Also, instead of allowing this for all users, you could also limit this to members of a certain group, e.g. you could create a group cifsmount and then have

%cifsmount ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

edited Dec 21 '15 at 14:34

answered Dec 20 '15 at 17:42

Oliphaunt

1476

@Fabby Sorry, but what's so dangerous about this? Also I may be detecting a hint of sarcasm, not sure.
– Oliphaunt
Dec 20 '15 at 20:50

well, even if sudo doesn't require a password, mount might still require a password. The /etc/sudoers file could be used to just make sudo not require a password. That wouldn't affect whether mount asks for a password. If a person failed to mount, then sudo would just end up running a command that fails, which is likely not a problem.
– TOOGAM
Dec 21 '15 at 8:49

@TOOGAM That was my intention. One password instead of two.
– Oliphaunt
Dec 21 '15 at 9:09

My intention is to keep one "operator" group in the sudoers file so if an operator tries to mount its own stuff, they still have to type a password, but to mount the "standard" operator mounts, they only have to type the password once instead of 5 times... But your solution might work for others, so upvoted... (and original comments removed)
– Fabby
Dec 21 '15 at 17:07

add a comment |

Require no sudo password for executing this command; the password prompt for mount remains.

In sudoers, include something like

ALL        ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

After including this, sudo will no longer ask for a password for this specific command; the user still needs to provide a password to the mount command.

Also, instead of allowing this for all users, you could also limit this to members of a certain group, e.g. you could create a group cifsmount and then have

%cifsmount ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

edited Dec 21 '15 at 14:34

answered Dec 20 '15 at 17:42

Oliphaunt

1476

Require no sudo password for executing this command; the password prompt for mount remains.

In sudoers, include something like

ALL        ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

After including this, sudo will no longer ask for a password for this specific command; the user still needs to provide a password to the mount command.

Also, instead of allowing this for all users, you could also limit this to members of a certain group, e.g. you could create a group cifsmount and then have

%cifsmount ALL = NOPASSWD: /bin/mount -t cifs //*/* /media/* -o username=*

edited Dec 21 '15 at 14:34

answered Dec 20 '15 at 17:42

Oliphaunt

1476

edited Dec 21 '15 at 14:34

answered Dec 20 '15 at 17:42

Oliphaunt

1476

answered Dec 20 '15 at 17:42

Oliphaunt

1476

answered Dec 20 '15 at 17:42

Oliphaunt

1476

@Fabby Sorry, but what's so dangerous about this? Also I may be detecting a hint of sarcasm, not sure.
– Oliphaunt
Dec 20 '15 at 20:50

well, even if sudo doesn't require a password, mount might still require a password. The /etc/sudoers file could be used to just make sudo not require a password. That wouldn't affect whether mount asks for a password. If a person failed to mount, then sudo would just end up running a command that fails, which is likely not a problem.
– TOOGAM
Dec 21 '15 at 8:49

@TOOGAM That was my intention. One password instead of two.
– Oliphaunt
Dec 21 '15 at 9:09

My intention is to keep one "operator" group in the sudoers file so if an operator tries to mount its own stuff, they still have to type a password, but to mount the "standard" operator mounts, they only have to type the password once instead of 5 times... But your solution might work for others, so upvoted... (and original comments removed)
– Fabby
Dec 21 '15 at 17:07

add a comment |

@Fabby Sorry, but what's so dangerous about this? Also I may be detecting a hint of sarcasm, not sure.
– Oliphaunt
Dec 20 '15 at 20:50

well, even if sudo doesn't require a password, mount might still require a password. The /etc/sudoers file could be used to just make sudo not require a password. That wouldn't affect whether mount asks for a password. If a person failed to mount, then sudo would just end up running a command that fails, which is likely not a problem.
– TOOGAM
Dec 21 '15 at 8:49

@TOOGAM That was my intention. One password instead of two.
– Oliphaunt
Dec 21 '15 at 9:09

My intention is to keep one "operator" group in the sudoers file so if an operator tries to mount its own stuff, they still have to type a password, but to mount the "standard" operator mounts, they only have to type the password once instead of 5 times... But your solution might work for others, so upvoted... (and original comments removed)
– Fabby
Dec 21 '15 at 17:07

@Fabby Sorry, but what's so dangerous about this? Also I may be detecting a hint of sarcasm, not sure.
– Oliphaunt
Dec 20 '15 at 20:50

well, even if sudo doesn't require a password, mount might still require a password. The /etc/sudoers file could be used to just make sudo not require a password. That wouldn't affect whether mount asks for a password. If a person failed to mount, then sudo would just end up running a command that fails, which is likely not a problem.
– TOOGAM
Dec 21 '15 at 8:49

@TOOGAM That was my intention. One password instead of two.
– Oliphaunt
Dec 21 '15 at 9:09

My intention is to keep one "operator" group in the sudoers file so if an operator tries to mount its own stuff, they still have to type a password, but to mount the "standard" operator mounts, they only have to type the password once instead of 5 times... But your solution might work for others, so upvoted... (and original comments removed)
– Fabby
Dec 21 '15 at 17:07

add a comment |

A general solution to these issues is to put the following preamble at the top of your sudo requiring scripts:

#!/bin/bash

case $EUID in

   0) : cool we are already root - fall through ;;

   *) # not root, become root for the rest of this session

      # (and ask for the sudo password only once)

      sudo $0 "$@" ;;

esac

# now the present process is effective-UID  (root)

# so there's no need to put sudo in front of commands



any more commands here will run as superuser ...

Obviously, this has a downside in that if some commands in the script don't require sudo to run, there's an unnecessary elevation of privileges here.

You may also want to check out the timestamp_timeout variable in man 5 sudoers which tells sudo to remember user credentials for a limited number of minutes (and can be fractional).

edited Dec 26 '15 at 9:11

answered Dec 26 '15 at 3:05

arielf

1,86321230

I oversimplified the script to get an easy answer: the script already contains: #test if root: if not: bail out if [[ $EUID -ne 0 ]]; then echo "This script must be run as root, use sudo "$0" instead" 1>&2 exit 1 fi The point is that it also contains multiple mounts all with the same password (again: removed), but thanks anyway...
– Fabby
Dec 26 '15 at 8:18

1

The point is that the solution above would require only one typing of the password (for sudo). It shouldn't require any other. Plus it is a general (and more elegant than giving an error and having to retype the command with sudo) for all similar issues, even when they require multiple (more than two) privileged commands.
– arielf
Dec 26 '15 at 9:19

It should but it doesn't! ;-) That's because each cifs share mount requires a password as well. (as it can be different from the Ubuntu password, but in this case isn't as the operators keep their Windows and Ubuntu passwords synchronised)
– Fabby
Dec 26 '15 at 9:23

add a comment |

A general solution to these issues is to put the following preamble at the top of your sudo requiring scripts:

#!/bin/bash

case $EUID in

   0) : cool we are already root - fall through ;;

   *) # not root, become root for the rest of this session

      # (and ask for the sudo password only once)

      sudo $0 "$@" ;;

esac

# now the present process is effective-UID  (root)

# so there's no need to put sudo in front of commands



any more commands here will run as superuser ...

Obviously, this has a downside in that if some commands in the script don't require sudo to run, there's an unnecessary elevation of privileges here.

You may also want to check out the timestamp_timeout variable in man 5 sudoers which tells sudo to remember user credentials for a limited number of minutes (and can be fractional).

edited Dec 26 '15 at 9:11

answered Dec 26 '15 at 3:05

arielf

1,86321230

I oversimplified the script to get an easy answer: the script already contains: #test if root: if not: bail out if [[ $EUID -ne 0 ]]; then echo "This script must be run as root, use sudo "$0" instead" 1>&2 exit 1 fi The point is that it also contains multiple mounts all with the same password (again: removed), but thanks anyway...
– Fabby
Dec 26 '15 at 8:18

1

The point is that the solution above would require only one typing of the password (for sudo). It shouldn't require any other. Plus it is a general (and more elegant than giving an error and having to retype the command with sudo) for all similar issues, even when they require multiple (more than two) privileged commands.
– arielf
Dec 26 '15 at 9:19

It should but it doesn't! ;-) That's because each cifs share mount requires a password as well. (as it can be different from the Ubuntu password, but in this case isn't as the operators keep their Windows and Ubuntu passwords synchronised)
– Fabby
Dec 26 '15 at 9:23

add a comment |

A general solution to these issues is to put the following preamble at the top of your sudo requiring scripts:

#!/bin/bash

case $EUID in

   0) : cool we are already root - fall through ;;

   *) # not root, become root for the rest of this session

      # (and ask for the sudo password only once)

      sudo $0 "$@" ;;

esac

# now the present process is effective-UID  (root)

# so there's no need to put sudo in front of commands



any more commands here will run as superuser ...

Obviously, this has a downside in that if some commands in the script don't require sudo to run, there's an unnecessary elevation of privileges here.

You may also want to check out the timestamp_timeout variable in man 5 sudoers which tells sudo to remember user credentials for a limited number of minutes (and can be fractional).

edited Dec 26 '15 at 9:11

answered Dec 26 '15 at 3:05

arielf

1,86321230

A general solution to these issues is to put the following preamble at the top of your sudo requiring scripts:

#!/bin/bash

case $EUID in

   0) : cool we are already root - fall through ;;

   *) # not root, become root for the rest of this session

      # (and ask for the sudo password only once)

      sudo $0 "$@" ;;

esac

# now the present process is effective-UID  (root)

# so there's no need to put sudo in front of commands



any more commands here will run as superuser ...

Obviously, this has a downside in that if some commands in the script don't require sudo to run, there's an unnecessary elevation of privileges here.

You may also want to check out the timestamp_timeout variable in man 5 sudoers which tells sudo to remember user credentials for a limited number of minutes (and can be fractional).

edited Dec 26 '15 at 9:11

answered Dec 26 '15 at 3:05

arielf

1,86321230

edited Dec 26 '15 at 9:11

answered Dec 26 '15 at 3:05

arielf

1,86321230

answered Dec 26 '15 at 3:05

arielf

1,86321230

answered Dec 26 '15 at 3:05

arielf

1,86321230

I oversimplified the script to get an easy answer: the script already contains: #test if root: if not: bail out if [[ $EUID -ne 0 ]]; then echo "This script must be run as root, use sudo "$0" instead" 1>&2 exit 1 fi The point is that it also contains multiple mounts all with the same password (again: removed), but thanks anyway...
– Fabby
Dec 26 '15 at 8:18

1

The point is that the solution above would require only one typing of the password (for sudo). It shouldn't require any other. Plus it is a general (and more elegant than giving an error and having to retype the command with sudo) for all similar issues, even when they require multiple (more than two) privileged commands.
– arielf
Dec 26 '15 at 9:19

It should but it doesn't! ;-) That's because each cifs share mount requires a password as well. (as it can be different from the Ubuntu password, but in this case isn't as the operators keep their Windows and Ubuntu passwords synchronised)
– Fabby
Dec 26 '15 at 9:23

add a comment |

I oversimplified the script to get an easy answer: the script already contains: #test if root: if not: bail out if [[ $EUID -ne 0 ]]; then echo "This script must be run as root, use sudo "$0" instead" 1>&2 exit 1 fi The point is that it also contains multiple mounts all with the same password (again: removed), but thanks anyway...
– Fabby
Dec 26 '15 at 8:18

1

The point is that the solution above would require only one typing of the password (for sudo). It shouldn't require any other. Plus it is a general (and more elegant than giving an error and having to retype the command with sudo) for all similar issues, even when they require multiple (more than two) privileged commands.
– arielf
Dec 26 '15 at 9:19

It should but it doesn't! ;-) That's because each cifs share mount requires a password as well. (as it can be different from the Ubuntu password, but in this case isn't as the operators keep their Windows and Ubuntu passwords synchronised)
– Fabby
Dec 26 '15 at 9:23

I oversimplified the script to get an easy answer: the script already contains:

#test if root: if not: bail out if [[ $EUID -ne 0 ]]; then    echo "This script must be run as root, use sudo "$0" instead" 1>&2    exit 1 fi

The point is that it also contains multiple mounts all with the same password (again: removed), but thanks anyway...
– Fabby
Dec 26 '15 at 8:18

I oversimplified the script to get an easy answer: the script already contains:

#test if root: if not: bail out if [[ $EUID -ne 0 ]]; then    echo "This script must be run as root, use sudo "$0" instead" 1>&2    exit 1 fi

The point is that it also contains multiple mounts all with the same password (again: removed), but thanks anyway...
– Fabby
Dec 26 '15 at 8:18

The point is that the solution above would require only one typing of the password (for sudo). It shouldn't require any other. Plus it is a general (and more elegant than giving an error and having to retype the command with sudo) for all similar issues, even when they require multiple (more than two) privileged commands.
– arielf
Dec 26 '15 at 9:19

It should but it doesn't! ;-) That's because each cifs share mount requires a password as well. (as it can be different from the Ubuntu password, but in this case isn't as the operators keep their Windows and Ubuntu passwords synchronised)
– Fabby
Dec 26 '15 at 9:23

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Ask Ubuntu!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

Some of your past answers have not been well-received, and you're in danger of being blocked from answering.

Please pay close attention to the following guidance:

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Cfxtrjtrk