read the password from stdin when using "doas"

[koverskeid]

Hi

I want to automatically transfer a setup script and run it on freshly installed FreeBSD 13.2 machines. The problem is that the script requires elevated privileges. In linux, the command $ echo 'password' | sudo -S ./setup.sh would do the trick, but it seems like it's not possible to read the password from stdin in FreeBSD. Is there any ways around this?

 

[jmos]

Be more specific: Do you want to use sudo or doas? The title says second, the text first… And just to be sure: You mustn't switch from sudo to doas when using FreeBSD - there's a port/package security/sudo. If you want to use doas you can simply allow your user to execute a specific command without a password, so there's no need to read a password by stdin (also possible with sudo).

 

[koverskeid]

Be more specific: Do you want to use sudo or doas? The title says second, the text first… And just to be sure: You mustn't switch from sudo to doas when using FreeBSD - there's a port/package security/sudo. If you want to use doas you can simply allow your user to execute a specific command without a password, so there's no need to read a password by stdin (also possible with sudo).

I'm open to everything as long as it works. The problem is that this is a clean install and the first interaction with the freshly installed OS is that I copy a script and execute it with elevated privileges from a different computer. I'm guessing that allowing a user to execute a specific command withouth a password requires elevated privileges?

 

[George]

Shouldn't the "first interaction with the freshly installed system" be to install sudo or doas? The user who installs these has higher privileges, so he can run the script in the first place?

If not, the user who installs the packages might as well edit the sudoers file or the doas config file, so that no passwords are needed?


I once used a named pipe to feed sudo the password, but that is probably not the proper way to do it.

echo "password" | sudo -S whoami

That works, doesn't it?

 

[jmos]

The problem is that this is a clean install and the first interaction with the freshly installed OS is that I copy a script and execute it with elevated privileges from a different computer.

On a clean, fresh install there is no sudo, doas or super (or anything else like that - only Ubuntu and its derivatives are having sudo, and you can't rely on them on other Linux installations).
But someone configured that machine to have a user account with a remote login; And you're having the root password. So why not log in, switching to root and execute that command from roots shell? All you need is to add your user to "wheel" group while setting up that user account, and your user can do a su - to become root and execute that script. No need for sudo & co.

 

[Kai Burghardt]

[…] automatically transfer a setup script […]

To corroborate what jmos wrote: Do you need to transfer the script or can you just execute it? If it is non-interactive you can simply

workstation% ssh user@vanillamachine < setup.sh

so the setup.sh script remains on the workstation.​

[…] it's not possible to read the password from stdin in FreeBSD. […]

You do not want passwords as command-line arguments. It may end up stored at all kinds of places (e. g. shell’s history file, ps(1), audit log). If your script needs some predictable interaction you could have a look at lang/expect (or similar):​

#!/usr/bin/env expect
spawn ssh user@vanillamachine
expect "Password for user@vanillamachine.home.arpa:" { send "toor\r" }
interact

[SUP](Confirmation of host key fingerprint has been omitted for demonstration purposes.)[/SUP]​

 

[Alex Seitsinger]

If you're trying to setup passwords for users:

echo 'password' | pw usermod -n <username> -h0 -

echo "password" | sudo -S whoami

That works, doesn't it?

I've learned that it's best to avoid including sudo in commands and reserve it for interactive use.