0

I need help with a sudo -A command in a shell script. The -A option is for AskPass. According to the sudo man page:

Normally, if sudo requires a password, it will read it from the user's terminal. If the -A (askpass) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the standard output. If the SUDO_ASKPASS environment variable is set, it specifies the path to the helper program.

I'm interested in AskPass because I'm running apache2 (v 2.4.41) on a Ubuntu 16.04 server. The Apache webpage needs to execute a shell script. The webpage executes the script as user www-data. But the script needs to run another program that can only be run as user user1. So I need sudo --AskPass so that user www-data can run user user1's code.

My setup: Following such examples as here and here, I've written these two scripts in the /var/www/html/ directory:

user1@myUbuntu:/var/www/html$ ls -l
-rwxr-xr-x 1   www-data   TestUsers    29 Feb 28 11:34 passwdScript.sh
-rwxrwxr-x 1   www-data   TestUsers  2009 Feb 28 11:32 webpageScript.sh
user1@myUbuntu:/var/www/html$

(Group TestUsers includes users www-data and user1.) The little passwdScript.sh script is meant to send user1's password to STD OUT:

user1@myUbuntu:/var/www/html$
user1@myUbuntu:/var/www/html$ more passwdScript.sh
#!/bin/sh
echo 'myPassword'
user1@myUbuntu:/var/www/html$
user1@myUbuntu:/var/www/html$ ./passwdScript.sh
myPassword
user1@myUbuntu:/var/www/html$

(Yes, I know this is highly insecure, but I will be the only person using this server. I'm worried about functionality only.)

Okay: Now that the above is set up, here's my webpageScript.sh script, which is meant to call sudo --AskPass:

echo "Script is running."
export SUDO_ASKPASS="/var/www/html/passwdScript.sh"
echo "Test :: $SUDO_ASKPASS"
cd /home/user1/path/to/other/directory
pwd
sudo -u user1 --askpass $SUDO_ASKPASS 'runUser1Script.exe'
echo "Finished running the script."

Here's the less-than-impressive output:

user1@myUbuntu:/var/www/html$
user1@myUbuntu:/var/www/html$ sudo -u www-data ./webpageScript.sh
Script is running.
Test :: /var/www/html/passwdScript.sh
/home/user1/path/to/other/directory
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts
Finished running the script.
user1@myUbuntu:/var/www/html$
user1@myUbuntu:/var/www/html$

So obviously the sudo --askpass command is failing to accept user1's password. I've been trying variations on that command all day. Does anyone see what I'm doing wrong?

5
  • 2
    Ubuntu 16.04 has passed itself End-of-life date, and is no longer supported on AskUbuntu.
    – waltinator
    Commented Feb 28, 2022 at 17:47
  • 1
    I think the fundamental issue is that (at least in the default configuration) sudo requires the invoking user's password - not that of the target user
    – steeldriver
    Commented Feb 28, 2022 at 17:56
  • @steeldriver So when my script runs as www-data and then reaches command sudo -u user1 --askpass $SUDO_ASKPASS 'runUser1Script.exe' , AskPass should be suppling www-data's password, not user1's? Wow. You just blew my mind...!
    – Pete
    Commented Feb 28, 2022 at 18:02
  • 2
    @Pete yes I believe so - unless you have set targetpw on in your sudo config. See man sudoers.
    – steeldriver
    Commented Feb 28, 2022 at 18:06
  • 1
    Ubuntu 16.04 LTS has reached the end of it's standard support life thus is now off-topic here unless your question is specific to helping you move to a supported release of Ubuntu. Ubuntu 16.04 ESM support is available, but not on-topic here, see askubuntu.com/help/on-topic See also ubuntu.com/blog/…
    – guiverc
    Commented Feb 28, 2022 at 22:13

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .