How to sudo using another user's account password from a script?

I have a bash script running as user, a user account with no evaluated privileges. The machine has a second account admin which has sudo privileges. There is no root password set.

The script knows the account password for admin. How do I escalate the script up to root?

sudo -S only handles the case of escalation using your current account's password, such as admin to root, but user is unprivileged, so this won't work.

su admin works but provides no way to take a password from STDIN.

To rephrase, how can I achieve the below programmatically?

$ su admin
Password: ******
$ sudo command
Password: ******

Bardi Harborow

Posted 2016-01-22T14:31:06.100

Reputation: 275

To preempt comments: Yes, I know storing passwords in a shell script is bad practice. It's part of an overall solution that is even messier. – Bardi Harborow – 2016-01-22T14:36:29.730

Can you add user to the sudoers file? – Rocket Hazmat – 2016-01-22T14:47:07.423

@Rocket, That would require root access, which is what I'm trying to get in the first place. This is for bulk deployment of an install script, otherwise I would just do it manually. – Bardi Harborow – 2016-01-22T14:49:11.270

Is there is no root password set, would su root (or just su) work? – Rocket Hazmat – 2016-01-22T14:54:58.063

@Rocket, there is no root password set. Also, su password entry can't be done programmatically. – Bardi Harborow – 2016-01-22T14:57:06.117

(That should've said If there...), but the point was, since is there no root password, wouldn't su root not ask for a password and possibly just work? – Rocket Hazmat – 2016-01-22T15:04:03.700

@Rocket, login is denied to password-less accounts, which is the entire point behind Ubuntu not having root passwords. – Bardi Harborow – 2016-01-22T15:06:08.920

Ah! Darn it. I didn't realize that. Sorry :) – Rocket Hazmat – 2016-01-22T15:08:11.897

Answers

Since su only reads from a TTY, you'll have to give it one. If GNU screen is available, try something like this:

screen -d -m -S foo su -c 'sudo my_command' admin
screen -S foo -X stuff 'admin_password
'

Line 1 sets up a session that runs the specified su command, which will prompt for the admin user's password. Lines 2 and 3 "stuff" the password (and the trailing newline to simulate pressing enter, watch the quotes) into the named session; the waiting su will receive it from the pty and, assuming it's correct, execute the command specified (sudo my_command).

(I'm sure something similar can be done with tmux, but I don't use that, so can only point to the man page. Alternatively, you could use the opportunity to learn pty programming and write your own program to do just the password-to-su passing :) )

Gabe

Posted 2016-01-22T14:31:06.100

Reputation: 1 837

-1

Though not exactly what you're looking for, one workaround is to give limited sudo permissions to the user.

Add user to /etc/sudoers with only permission to run sudo as user admin and to run command sudo. Example:

user   ALL = (admin) /bin/sudo

Then, run something like sudo -u admin sudo commands.

ecube

Posted 2016-01-22T14:31:06.100

Reputation: 558

More sudo information, for people like me who don't want to read the man page: http://unix.stackexchange.com/a/18880/58455

– ecube – 2016-01-22T14:55:44.303

If he could edit the sudoers file, he wouldn't need to do the indirection in the first place. – Gabe – 2016-03-21T00:32:45.493