
susudoio: wraps su and sudo into one-easy-step (MacOS CLI) - neutron37
https://github.com/neutron37/susudoio
======
neutron37
From:
[https://github.com/neutron37/susudoio/issues/1#issuecomment-...](https://github.com/neutron37/susudoio/issues/1#issuecomment-384611430)

I decided not to bother with sanitizing bash history and to remove the admin-
pass argument "feature" entirely (See
[https://github.com/neutron37/susudoio/issues/9](https://github.com/neutron37/susudoio/issues/9)).

First of all, sanitizing bash history wouldn't be enough. The CLI password
argument also leaks in other ways. For example, the listing of commands via
`ps` would show the password for as long as the commend executes. It's also
likely that the command would be logged to disk (or even to network!)
depending on the system's configuration.

I made an effort at sanitizing bash history out of curiosity. Here's what I
found. The session history is stored in the bash processes memory until the
end of the session, during the shutdown sequence of the process it's flushed
into ~/.bash_history. So, the only crazy, horrible way that I could think of
to clear the _active_ session's history is to do the following:

1\. Escalate to root within susudoio 1\. Hijack the tty which spawned bash
(which, in-turn, spawned susudoio) 1\. Background susudoio 1\. Selectively
clear the bash history with `history -d $badline` 1\. Foreground susudio 1\.
Return to normal execution

Ew. That's disgusting! Hijacking the TTY session of another user (even as
root) is nasty. You have to things like change permissions on file-descriptors
which should _never_ have their permissions changed. Any reliable method for
this will likely leverage tools which are meant for invasive debugging and/or
penetration, so probably shouldn't be installed on your "secure" system
Circumventing the in-built security of my OS in the name of security seems...
pointless.

Won't fix!!!

------
neutron37
Hi, this is the author of susudoio again with some questions for the
community:

I'm not sure it it's really of much value, maybe something better already
exists?

It would probably be a huge effort to rewrite in Go or Rust or whatever, but
maybe worth it?

I'd love some tips on hardening the script. I'm sure there's more that can be
done, especially with the "internals" (currently uses only bash and expect).

I've got some ideas for additional features, like selectively clearing bash
history lines when the password is entered as an argument to the script. I'm
working ASAP to get it down to a single file install, should be later today.

I'd love some feedback from the community. Maybe this can evolve into
something people actually want to use.

Thanks!

------
neutron37
Why use this tool?

* You are a MacOS user who doesn't like to login with an admin account.

* You also find it pretty inconvenient to be non-admin in the shell.

* You also really dislike installation dependencies and non-transparent tools?

I made a convenience tool for security-conscious MacOS users.

[https://github.com/neutron37/susudoio](https://github.com/neutron37/susudoio)

------
gargravarr
There's a tool that's been on my mind, all the time,

Su-Su-Su-dee-oh

Now I don't even know its name, but I do ones that do the same,

Su-Su-Su-dee-oh

~~~
neutron37
LOL, thanks for doubling-down on my dad joke!

Do you know ones that do just the same? Su-Su-Su-dee-oh?

What!? Which tools, where?

Also, I'd like to clarify that the inspiration for this tool was Prince's
"1999".

I was dreaming when I wrote this so sue me if I go too fast!

