Sudo askpass: ask from other tty

expectrsyncsudotty

Context

I want to setup rsync backups of my server, so I run the following command

rsync -r -e ssh --rsync-path="sudo rsync" rsyncuser@example.com:/ /backup/

Ideally, that command would ask my private ssh key password, then connect, then ask the sudo password for rsyncuser, and then run rsync on the server. But I got the infamous error:

sudo: no tty present and no askpass program specified

So I had to add this to /etc/sudoers (using sudo visudo), which basically gives passwordless full read-write access to the system to the user rsyncuser, which is not to my taste:

rsyncuser ALL= NOPASSWD:/usr/bin/rsync

Question

How can I instead tell sudo to read its password from, say, another TTY ?

That way, I could run rsync in one terminal window on my local machine, and use another terminal window to open a (possibly separate) ssh connexion to the server, and supply the sudo password there.

The only way I think of doing something like that would be to use an expect script around sudo, which reads the password from a named pipe, and I would write to that pipe from the other terminal.

Note: this is more for the sake of exeprimentation and learning than any practical purpose, I'm not trying to find out how to use sudo with rsync, I've already read all I could find about that.

Best Answer

sudo will read an environment variable, SUDO_ASKPASS, if it is not running from a terminal (as in your case) or if -A is set. It uses this as a command to run to get the password. For example:

echo -e '#!/bin/sh\nhead -n 1' > ~/bin/reader
chmod a+x ~/bin/reader
export SUDO_ASKPASS="$HOME/bin/reader"
sudo -A echo "I'm root\!"

Will prompt you for the password on stdin, and won't require a terminal.

In the specific case of what you are trying to do however, it might be better to allow root SSH login, but only with an SSH key and the command restricted to rsync. There is a good resource on this here.

Related Question