Avoid passwords in scripts

It was recommended not to use passwords in scripts. (Even though I am only user on my computer.)

How do I do that in my script?

I don’t want to have to input my password when script runs.

I get a permission error with my zip statement.

Same thing with any statements that use root owned directories.

# Backup sounds
cd /usr/share/sounds/My_Sounds/

#echo xxx | sudo -S zip -u My_Sounds.zip *.mp3 *.wav
zip -u My_Sounds.zip *.mp3 *.wav
rsync -av --update My_Sounds.zip /media/andy/MAXTOR_SDB1/Ubuntu_Mate_18.04/

Hello,

Use openssl or gnupg to encrypt and decrypt things such as password, password text files and whole files that you can use after as input to your bash script.

Just keep your keys in a secure location and don’t use the same key for all files !

Kr,

Openssl looks complicated.

https://conshell.net/wiki/index.php/OpenSSL_usage_tips_and_examples

The OpenSSL (http://openssl.org/) toolkit can be a complicated beast for the new user.

I used gpg, but it asks for my password.

Using the visudo command, you can allow to exec your script without entering the password.

I use something like this to allow to execute “dowebcmd.sh” from the apache web server (which runs scripts using the user www-data):

sudo visudo

and add this line to the end of the visudo file:

www-data ALL=(gabriel) NOPASSWD: /home/gabriel/webscripts/dowebcmd.sh

(don’t forget to replace www-data and gabriel with your user name)

I do not having a problem executing my script,

only something like this within the script.

  cd /usr/share/sounds/My_Sounds/
 zip -u My_Sounds.zip *.mp3 *.wav

Are you saying with your method, it will execute a script with any root user commands without needing a password?

Yes, you can impersonate the root user.
You will have to check the sudoers documentation.

I made the change to the visudo file.

When this runs,

  # Backup sounds
 cd /usr/share/sounds/My_Sounds/
 zip -u My_Sounds.zip *.mp3 *.wav

I get
zip I/O error: Permission denied
zip error: Could not create output file (My_Sounds.zip)

You will have to check the documentation:
https://help.ubuntu.com/community/Sudoers

For this instance, would it be possible to set the owner and group of the My_Sounds folder to the user you are running the script as? That would allow your user to create any files you want under that folder without full access to other areas of the disk.

chown
chgrp

I will set me as owner and group and see what happens.

I set myself as group, so now my script doesn’t need pw anymore.

Thanks jason.

Do have a question.

What is difference between directory being root as owner and me as group versus the directory being owned by root and me as group?

You’ll probably get a much better answer if you poke around Google, but I will give it a shot and try to hit the high points on this.

Traditional Unix/Linux security has 3 groupings - owner, group, and world.

Owner permissions are for a single user - the owner. There are a few things that only the owner can do to a file, and you’ll run into one of those occasionally.

Group permissions apply to anyone who is in the group. It might be a little confusing - there is a user account and a group with the same name for each user. If you are managing groups a little more carefully, you might create a group named “soundwriters” and use that so several accounts can write to the same folder.

World permissions are for everyone.

To start with, you need to know about read, write, and execute permissions. There are some subtleties, but these will get you 90% of the way. Generally, you turn off write permissions to world to most files, and that protects your data (and scripts) from being tampered with.

You can also turn off read permissions for world if you want to protect a file from being read.

The executable flag marks a file as executable. If not set, the OS won’t allow the file to be directly executed.

Hope all that didn’t confuse you! Read around on the web. The concepts are not too difficult, and well worth knowing.

Thanks.

It did not confuse me.

I love learning new things.