Hey everyone,
So I have been looking all over the internet, sudo --help, the zypper man page, and zypper --help to see if there was a parameter so that I can put in the password. For example, the command would look something in, on, or around this: sudo zypper dup -y -p “insert password”.
Is there some way to do something similar, it does not exist, or it’s a security risk?
Well, yes, it’s a security risk.
However, you can setup public key authentication with ssh. And then you should be able to do something like:
ssh root@localhost "zypper dup"
I’m reading this differently so ignore me if I’m wrong. However, if you created a bash script called, say, “zypscr” with “sudo zypper dup”, then when you ran the script in a terminal it would automatically ask for the password. And that would be the same for anyone who had sudo rights.
Is this what you’re after?
Maybe I am reading a bit different again;).
zypper never asks for a password, thus if you can not find anywhere in man zypper any mentioning of how to give it a password (either by it asking for it or by giving it through an argument), you are correct.
sudo may ask for a password (depends on it’s configuration in sudoers). But it would of course be a big security risk if you could also give it the wanted password through an argument, because that would most probably lead to the statement, including the password, being used in a script and thus stored in readable form in a file. I big NoNo.
But depending on what you want (that is not clear, I reckon this as a typical case of Describe the goal, not the step) there might be other solutions.
OTOH trying to avoid the security build in in a Unix/Linux system might not be a good idea.
On Tue, 03 Jul 2018 18:06:02 +0000, hcvv wrote:
> But it would of course be a big security risk if you could also give it
> the wanted password through an argument, because that would most
> probably lead to the statement, including the password, being used in a
> script and thus stored in readable form in a file. I big NoNo.
As well as being visible in a process list while the command was running.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Doesn’t sudo and su already require the User to input a password (assuming the User doesn’t do everything with elevated permissions)?
If you’re looking for an extra layer or level of security, typically people implement multi-factor authentication(You’ve already provided something you know, now you also have to provide something you have).
TSU
One word: salt.
Don’t even try. ‘sudo’ ( and you would need a “password_here” in readable text in your script/command) simply does not support it, and zypper, for good reasons, doesn’t install / remove without root permissions.
A thing you can do though to automate things, is to write a systemd unit / timer that runs the command at certain intervals,
On Tue, 03 Jul 2018 21:26:03 +0000, tsu2 wrote:
> Doesn’t sudo and su already require the User to input a password
> (assuming the User doesn’t do everything with elevated permissions)?
sudo can allow you to set NOPASSWD in the settings, allowing commands to
be run without a password.
> If you’re looking for an extra layer or level of security, typically
> people implement multi-factor authentication(You’ve already provided
> something you know, now you also have to provide something you have).
Absolutely.
Jim
–
Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C
Just a general remark here.
When I read the OP (opening post), it seems to me that the person asking is unsure whether the password prompt comes from “sudo” or from “zypper”.
That indicates to me that this an inexperienced user. There’s nothing wrong with that. We all started as inexperienced users.
Some of the responders seem to have been reading too much into the question, and their responses may confuse the requestor.
What we do get, is that he/she wants to avoid being prompted for a password. Anything beyond that is guessing. Maybe we should wait for the user to explain in more detail, what he/she is trying to accomplish.
Oh, I should add that the password request is coming from “sudo”.
Thanks for all of the replies,
So I want to apologize for the confusion, was sleep deprived when I wrote it, But to Hcvv’s post, my goal is to be able to use a param or argument to pass in the password within the zypper command. I just started training in software development and I was using the mysql in the terminal and the command that I would use to access the database would be “mysql -u thisismyusername -p=thisismypassword” to bypass the password prompt. I thought it was cool and wanted to see if I can do it through the zypper command. It would be great to do because I can send the command to my computer from my phone.
I wasn’t sure if it was secure because it’s logged in my command history, but for someone to see them they would have to have access to my computer, right?
I was thinking about using cron jobs, but I have been lazy to try to figure it out again. Also, the way I remembered using it is that I would still have to write the password out in a script which to your point isn’t a good idea.
I will look for the docs for that.
If this is a cron job for user root, then it won’t need a password.
Yes you would need the root password to setup that cron job. But, once set up, it could run without needing to be given the root password.
As I read it, he is not looking for an extra level of security, but to remove a level of security.
As I explained earlier, the zypper command does not need a password. The only place in the zypper documentation
man zypper
where the word “password” is mentioned is where the talking is about using a Cifs directory as repository. Not something you are using I assume.
And when zypper does not use any password for any functionality, there is also no way to provide it to zypper. Not as an argument in the command line, not by typing it on a prompt on the terminal, never.
Apparently myscl needs a password for some functionality. And, as you have found out, that password can be provided through an argument on the command line. But there are hundreds of commands that do not need a password and zypper is one of them.
Maybe the @op needs to clarify, then.
I re-read the original post and I still don’t read it that way… I see the @op asking how to pass the required password as part of the zypper command…which to me is equivalent to asking for the root password.
But,
Let’s go ahead and look at the situation and requirements to understand what is possible…
Zypper is a command that requires elevated permissions to execute modifications on the underlying system.
By itself, I doubt that there is any way to apply special permissions to the command itself, instead the command must be executed in the proper environment (ie shell).
Beyond the fundamental description above,
The next most appropriate question is what the @OP is trying to do…
Insert into a BASH script?
Execute through a remote connection?
Insert into a BUILD script for some technology?
If I were to <really> guess,
The @op is asking how to execute a script(or command) that requires elevated permissions, but as a non-privileged User.
That would require passing the root password interactively in the script, and can be done a few ways… by a Heredoc (likely, I haven’t actually done that), or by inserting the password into a variable and passing the variable when creating the elevated shell. In any case, when this is done be careful who sees this script because your root password is stored in clear text.
PS. To @OP
In lay words, if this is what you want, then you need to create a 2 part script…
If the @OP was more detailed in his full set of objectives,
Then the most appropriate solution can be offered.
IMO,
TSU
Try this as your normal user, replace YOURUSER by your own username.
It creates a hidden folder. then a small script that contains the zypper command incl -y option, then makes the script executable, then creates a file for the cronjob that will make the command to be run every day ( the 0 ) at 2 AM ( the 2 ) no specified minutes secs etc. The last command is invoked as root and will activate the cronjob.
mkdir ~/.zypper-cron
echo "/usr/bin/zypper dup -y" > ~/.zypper-cron/zypper-dup
chmod 755 ~/.zypper-cron/zypper-dup
echo "0 2 * * * /home/YOURUSER/.zypper-cron/zypper-dup 2>&1" > ~/.zypper-cron/cronfile
sudo crontab /home/YOURUSER/.zypper-cron/cronfile
T
That’s an idea…
If you configure a cron job, then your command will run in a system security context so should already have elevated permissions, avoiding the problem elevating from a normal User.
Although it looks like what Knurpht posted doesn’t actually run “as system,” I wonder whether the effort to run a cronfile in /home and run sudo is worth the effort compared to creating a normal cronjob…
Always open to something I hadn’t thought of…
TSU
Wow, thank you all for all the information. I am learning so much from all of your posts! I am really liking the hidden folder trick and will give it a go.
Again, I want to apologize for the level of ambiguity in my original post.