0

I want to learn how to prompt users' password for nonsudo commands

EDIT:

I think that I could not tell it clearly according to comments, so I will elaborate my request with example, for example I open terminal and type " ls -l " command, after pressing Enter it should ask me user password I want this for every non-sudo commands.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Berk Can
  • 9
  • 2
  • 1
    possible duplicate of [Command line utility to retrieve password, that has no echo back](http://unix.stackexchange.com/questions/55865/command-line-utility-to-retrieve-password-that-has-no-echo-back) – Jeff Schaller Sep 28 '15 at 19:08
  • I'm assuming you have specific commands in mind, or just for...all commands? Also, for specific users? or all users? – Gravy Sep 28 '15 at 19:13
  • 2
    "As the question asks": what are you referring to. There is no question, neither in the body of this post nor in its title. – Anthon Sep 28 '15 at 19:25
  • Don't say it twice, elaborate: What are you trying to do? – ctrl-alt-delor Sep 28 '15 at 22:03
  • I will elaborate my request with example, for example I open terminal and type " ls -l " command, after pressing Enter it should ask me user password I want this for every non-sudo commands. – Berk Can Sep 29 '15 at 12:59

1 Answers1

1

The typical lack of access to the password hash in the shadow file may make this request problematic for a random userland program to use the system password database, as sudo and chsh and such tend to have the setuid bit set on them so that they run as root and can access the shadow file.

[jdoe@centos ~]$ id -u
1001
[jdoe@centos ~]$ perl -E 'say for getpwuid(1001)'
jdoe
x
1001
1001



/home/jdoe
/bin/bash
[jdoe@centos ~]$ sudo perl -E 'say for getpwuid(1001)'
jdoe
$6$P1jejm1i$bo02c/...
1001
1001



/home/jdoe
/bin/bash
[jdoe@centos ~]$

Once a program can obtain the password hash for a user (whether from the system database or some other source, it's the redacted $6$P1jejm1i$bo02c/... bit in the above output), a traditional crypt(3) call should suffice to verify the password.

A password prompting program might also want to prevent core dumps, lock itself into memory, scrub various bits of memory afterwards, and ignore various signals, among even more stringent checks if run setuid, in addition to not echoing the password. OpenBSD makes some of these steps easy via readpassphrase(3) though other OS not so much with getpass(3) being marked as LEGACY...

thrig
  • 34,333
  • 3
  • 63
  • 84
  • Sorry for my bad English, are you saying that prompting user password with commands that do not require root privilege is not good in terminal? – Berk Can Sep 29 '15 at 13:02
  • The default lack of access to the system password hash would make it a difficult problem to solve for non-root users running everyday commands such as `ls`. – thrig Sep 29 '15 at 15:52