Run command from sudo su The 2019 Stack Overflow Developer Survey Results Are In ...
How many people can fit inside Mordenkainen's Magnificent Mansion?
Semisimplicity of the category of coherent sheaves?
Does Parliament hold absolute power in the UK?
ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?
Make it rain characters
Did the UK government pay "millions and millions of dollars" to try to snag Julian Assange?
Can a 1st-level character have an ability score above 18?
How did passengers keep warm on sail ships?
Did God make two great lights or did He make the great light two?
Problems with Ubuntu mount /tmp
How are presidential pardons supposed to be used?
Difference between "generating set" and free product?
Scientific Reports - Significant Figures
Can withdrawing asylum be illegal?
Why did all the guest students take carriages to the Yule Ball?
How can I protect witches in combat who wear limited clothing?
Match Roman Numerals
Simulating Exploding Dice
What do you call a plan that's an alternative plan in case your initial plan fails?
How should I replace vector<uint8_t>::const_iterator in an API?
Who or what is the being for whom Being is a question for Heidegger?
"... to apply for a visa" or "... and applied for a visa"?
Do warforged have souls?
Can a novice safely splice in wire to lengthen 5V charging cable?
Run command from sudo su
The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)SSH: execute sudo commandsudo access to view/edit a crontabsudo prompts for password over sshsudo to run command as different userAccidentally change sudo user to /bin/falseSudo user is not able to export path of antsudo-users Executing and Runnning Commands RecursivelyLast background process ID ($!) not working in sudo bash commandSudo command with password in Powershellsudo minikube returns “command not found”
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
On a machine I (tlous) have been given access to open a shell as another user (serviceAccount)
Executing: sudo su - serviceAccount has the desired effect of opening a shell as this serviceAccount user. So far so good.
This is nice, but I want to run a command as this user without opening a shell.
Let's say the command is whoami
I've tried:
sudo -u serviceAccount whoami
Sorry, user tlous is not allowed to execute '/usr/bin/whoami' as serviceAccount ...
sudo su - serviceAccount -c whoami
Sorry, user tlous is not allowed to execute '/bin/su - serviceAccount -c whoami' ...
And other variations.
What am I missing? Can this be done in a oneliner?
The reason is that I actually want to run this as an ssh command:
ssh -t tlous@server.example.com sudo su - serviceAccount -c whoami
bash shell sudo su
asked yesterday
Tom LousTom Lous
1063
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
On a machine I (tlous) have been given access to open a shell as another user (serviceAccount)
Executing: sudo su - serviceAccount has the desired effect of opening a shell as this serviceAccount user. So far so good.
This is nice, but I want to run a command as this user without opening a shell.
Let's say the command is whoami
I've tried:
sudo -u serviceAccount whoami
Sorry, user tlous is not allowed to execute '/usr/bin/whoami' as serviceAccount ...
sudo su - serviceAccount -c whoami
Sorry, user tlous is not allowed to execute '/bin/su - serviceAccount -c whoami' ...
And other variations.
What am I missing? Can this be done in a oneliner?
The reason is that I actually want to run this as an ssh command:
ssh -t tlous@server.example.com sudo su - serviceAccount -c whoami
bash shell sudo su
asked yesterday
Tom LousTom Lous
1063
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
On a machine I (tlous) have been given access to open a shell as another user (serviceAccount)
Executing: sudo su - serviceAccount has the desired effect of opening a shell as this serviceAccount user. So far so good.
This is nice, but I want to run a command as this user without opening a shell.
Let's say the command is whoami
I've tried:
sudo -u serviceAccount whoami
Sorry, user tlous is not allowed to execute '/usr/bin/whoami' as serviceAccount ...
sudo su - serviceAccount -c whoami
Sorry, user tlous is not allowed to execute '/bin/su - serviceAccount -c whoami' ...
And other variations.
What am I missing? Can this be done in a oneliner?
The reason is that I actually want to run this as an ssh command:
ssh -t tlous@server.example.com sudo su - serviceAccount -c whoami
bash shell sudo su
asked yesterday
Tom LousTom Lous
1063
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
On a machine I (tlous) have been given access to open a shell as another user (serviceAccount)
Executing: sudo su - serviceAccount has the desired effect of opening a shell as this serviceAccount user. So far so good.
This is nice, but I want to run a command as this user without opening a shell.
Let's say the command is whoami
I've tried:
sudo -u serviceAccount whoami
Sorry, user tlous is not allowed to execute '/usr/bin/whoami' as serviceAccount ...
sudo su - serviceAccount -c whoami
Sorry, user tlous is not allowed to execute '/bin/su - serviceAccount -c whoami' ...
And other variations.
What am I missing? Can this be done in a oneliner?
The reason is that I actually want to run this as an ssh command:
ssh -t tlous@server.example.com sudo su - serviceAccount -c whoami
bash shell sudo su
bash shell sudo su
asked yesterday
Tom LousTom Lous
1063
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Tom LousTom Lous
1063
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Tom LousTom Lous
1063
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Tom LousTom Lous
1063
asked yesterday
Tom LousTom Lous
1063
1063
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Tom Lous is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Probably the sudoers file on the remote side specifies the exact command you can run and it's su - serviceAccount. One or more additional options (like -c) will make the command not qualify. Any solution should use the exact su - serviceAccount command.
There is a way to do something about it, but it's not perfect. Start by running this on the server:
echo whoami | sudo su - serviceAccount
(sudo without -S will use the terminal to ask for your password (if needed) despite the redirection).
To make the approach more general, create a script on the server:
#!/bin/sh
printf '%s ' "@" | sudo su - serviceAccount
Save it as su-ser, and make it executable. Now you can test these:
./su-ser whoami
./su-ser 'whoami; whoami'
./su-ser ls -l
./su-ser 'ls -l'
Note these quotes don't propagate to the shell spawned by su. Each time printf builds a command from arguments that the script gets, this is passed as a string and then parsed by the final shell, with word splitting, globbing and such. This means all these
./su-ser echo 1 2 3
./su-ser echo "1 2 3"
./su-ser "echo 1 2 3"
will print 1 2 3. To pass a quoted string you need to quote quotes, e.g.:
./su-ser 'echo "1 2 3"'
The next step is to trigger this remote script from your local computer:
ssh -t tlous@server.example.com '"/path/to/su-ser" whoami'
You need -t in case sudo asks for the password. From the ssh command in your question body I can tell you probably understand this.
Note ssh also builds a command string. The above quoting would work even if /path/to/su-ser contained spaces. On the other hand, if the path is without spaces (and without characters like ;, *), a totally unquoted ssh … /path/to/su-ser whoami will work as well.
Proper quoting is not a trivial task at this point. Let's analyze what happens to the command.
- At first your local shell parses the string. It uses the most outer quotes (if any) to parse it right.
sshgets its arguments as an array. The quotes used up by the shell don't get this far.
sshdecides which arguments should be passed to the remote side and builds a string (in similar manner toprintfin our remote script).- This string is then parsed by the remote shell (the one spawned by
sshdon the server). The remote shell uses the (now) most outer quotes (if any) to parse it right.
su-sergets its arguments as an array. The quotes used up by the remote shell don't get this far.
su-serbuilds a string.- This string is then parsed by yet another shell (spawned by
suon the server). The shell uses the (now) most outer quotes (if any) to parse it right. - The command(s) you passed gets its arguments as an array. The quotes used up by the last shell don't get this far.
This means sometimes you need three levels of quotes to get the right result. An uncomplicated local command like
echo "1 2 3"
becomes
ssh -t tlous@server.example.com "'/path/to/su-ser' 'echo "1 2 3"'"
where the unescaped double-quotes get stripped by the local shell, the single-quotes get stripped by the remote shell; finally the escaped double-quotes (that in fact become unescaped as soon as the local shell strips the unescaped ones) tell the shell spawned by su that the string with multiple spaces is a single argument to echo. This way the output is
1 2 3
Another problem is the remote script passes commands to stdin of the final shell, so you cant easily use its stdin for another purpose. E.g. cat; whoami (try it) should print back whatever lines you type (terminate it with Ctrl+D), then the output of whoami. However if you run this on the server:
./su-ser 'cat; whoami'
cat will terminate immediately. This should work:
./su-ser 'cat /dev/tty; whoami'
(Again, use Ctrl+D to terminate cat). Now compare the behavior of this:
./su-ser '
whoami
whoami
whoami
'
to this:
./su-ser '
whoami
cat
whoami
'
The same stream feeds cat and the shell; it's not a good thing. Establishing separate channels for actual commands and the real stdin may not be easy because sudo by default closes additional file descriptors and sets a new, minimal environment. I guess a contraption using temporary files/fifos would work, but this is so hairy I won't even try.
So the script may or may not be enough for you; it depends on commands you need to run. Now you know a couple of its limitations. Good luck.
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Tom Lous is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1424578%2frun-command-from-sudo-su%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Probably the sudoers file on the remote side specifies the exact command you can run and it's su - serviceAccount. One or more additional options (like -c) will make the command not qualify. Any solution should use the exact su - serviceAccount command.
There is a way to do something about it, but it's not perfect. Start by running this on the server:
echo whoami | sudo su - serviceAccount
(sudo without -S will use the terminal to ask for your password (if needed) despite the redirection).
To make the approach more general, create a script on the server:
#!/bin/sh
printf '%s ' "@" | sudo su - serviceAccount
Save it as su-ser, and make it executable. Now you can test these:
./su-ser whoami
./su-ser 'whoami; whoami'
./su-ser ls -l
./su-ser 'ls -l'
Note these quotes don't propagate to the shell spawned by su. Each time printf builds a command from arguments that the script gets, this is passed as a string and then parsed by the final shell, with word splitting, globbing and such. This means all these
./su-ser echo 1 2 3
./su-ser echo "1 2 3"
./su-ser "echo 1 2 3"
will print 1 2 3. To pass a quoted string you need to quote quotes, e.g.:
./su-ser 'echo "1 2 3"'
The next step is to trigger this remote script from your local computer:
ssh -t tlous@server.example.com '"/path/to/su-ser" whoami'
You need -t in case sudo asks for the password. From the ssh command in your question body I can tell you probably understand this.
Note ssh also builds a command string. The above quoting would work even if /path/to/su-ser contained spaces. On the other hand, if the path is without spaces (and without characters like ;, *), a totally unquoted ssh … /path/to/su-ser whoami will work as well.
Proper quoting is not a trivial task at this point. Let's analyze what happens to the command.
- At first your local shell parses the string. It uses the most outer quotes (if any) to parse it right.
sshgets its arguments as an array. The quotes used up by the shell don't get this far.
sshdecides which arguments should be passed to the remote side and builds a string (in similar manner toprintfin our remote script).- This string is then parsed by the remote shell (the one spawned by
sshdon the server). The remote shell uses the (now) most outer quotes (if any) to parse it right.
su-sergets its arguments as an array. The quotes used up by the remote shell don't get this far.
su-serbuilds a string.- This string is then parsed by yet another shell (spawned by
suon the server). The shell uses the (now) most outer quotes (if any) to parse it right. - The command(s) you passed gets its arguments as an array. The quotes used up by the last shell don't get this far.
This means sometimes you need three levels of quotes to get the right result. An uncomplicated local command like
echo "1 2 3"
becomes
ssh -t tlous@server.example.com "'/path/to/su-ser' 'echo "1 2 3"'"
where the unescaped double-quotes get stripped by the local shell, the single-quotes get stripped by the remote shell; finally the escaped double-quotes (that in fact become unescaped as soon as the local shell strips the unescaped ones) tell the shell spawned by su that the string with multiple spaces is a single argument to echo. This way the output is
1 2 3
Another problem is the remote script passes commands to stdin of the final shell, so you cant easily use its stdin for another purpose. E.g. cat; whoami (try it) should print back whatever lines you type (terminate it with Ctrl+D), then the output of whoami. However if you run this on the server:
./su-ser 'cat; whoami'
cat will terminate immediately. This should work:
./su-ser 'cat /dev/tty; whoami'
(Again, use Ctrl+D to terminate cat). Now compare the behavior of this:
./su-ser '
whoami
whoami
whoami
'
to this:
./su-ser '
whoami
cat
whoami
'
The same stream feeds cat and the shell; it's not a good thing. Establishing separate channels for actual commands and the real stdin may not be easy because sudo by default closes additional file descriptors and sets a new, minimal environment. I guess a contraption using temporary files/fifos would work, but this is so hairy I won't even try.
So the script may or may not be enough for you; it depends on commands you need to run. Now you know a couple of its limitations. Good luck.
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
add a comment |
Probably the sudoers file on the remote side specifies the exact command you can run and it's su - serviceAccount. One or more additional options (like -c) will make the command not qualify. Any solution should use the exact su - serviceAccount command.
There is a way to do something about it, but it's not perfect. Start by running this on the server:
echo whoami | sudo su - serviceAccount
(sudo without -S will use the terminal to ask for your password (if needed) despite the redirection).
To make the approach more general, create a script on the server:
#!/bin/sh
printf '%s ' "@" | sudo su - serviceAccount
Save it as su-ser, and make it executable. Now you can test these:
./su-ser whoami
./su-ser 'whoami; whoami'
./su-ser ls -l
./su-ser 'ls -l'
Note these quotes don't propagate to the shell spawned by su. Each time printf builds a command from arguments that the script gets, this is passed as a string and then parsed by the final shell, with word splitting, globbing and such. This means all these
./su-ser echo 1 2 3
./su-ser echo "1 2 3"
./su-ser "echo 1 2 3"
will print 1 2 3. To pass a quoted string you need to quote quotes, e.g.:
./su-ser 'echo "1 2 3"'
The next step is to trigger this remote script from your local computer:
ssh -t tlous@server.example.com '"/path/to/su-ser" whoami'
You need -t in case sudo asks for the password. From the ssh command in your question body I can tell you probably understand this.
Note ssh also builds a command string. The above quoting would work even if /path/to/su-ser contained spaces. On the other hand, if the path is without spaces (and without characters like ;, *), a totally unquoted ssh … /path/to/su-ser whoami will work as well.
Proper quoting is not a trivial task at this point. Let's analyze what happens to the command.
- At first your local shell parses the string. It uses the most outer quotes (if any) to parse it right.
sshgets its arguments as an array. The quotes used up by the shell don't get this far.
sshdecides which arguments should be passed to the remote side and builds a string (in similar manner toprintfin our remote script).- This string is then parsed by the remote shell (the one spawned by
sshdon the server). The remote shell uses the (now) most outer quotes (if any) to parse it right.
su-sergets its arguments as an array. The quotes used up by the remote shell don't get this far.
su-serbuilds a string.- This string is then parsed by yet another shell (spawned by
suon the server). The shell uses the (now) most outer quotes (if any) to parse it right. - The command(s) you passed gets its arguments as an array. The quotes used up by the last shell don't get this far.
This means sometimes you need three levels of quotes to get the right result. An uncomplicated local command like
echo "1 2 3"
becomes
ssh -t tlous@server.example.com "'/path/to/su-ser' 'echo "1 2 3"'"
where the unescaped double-quotes get stripped by the local shell, the single-quotes get stripped by the remote shell; finally the escaped double-quotes (that in fact become unescaped as soon as the local shell strips the unescaped ones) tell the shell spawned by su that the string with multiple spaces is a single argument to echo. This way the output is
1 2 3
Another problem is the remote script passes commands to stdin of the final shell, so you cant easily use its stdin for another purpose. E.g. cat; whoami (try it) should print back whatever lines you type (terminate it with Ctrl+D), then the output of whoami. However if you run this on the server:
./su-ser 'cat; whoami'
cat will terminate immediately. This should work:
./su-ser 'cat /dev/tty; whoami'
(Again, use Ctrl+D to terminate cat). Now compare the behavior of this:
./su-ser '
whoami
whoami
whoami
'
to this:
./su-ser '
whoami
cat
whoami
'
The same stream feeds cat and the shell; it's not a good thing. Establishing separate channels for actual commands and the real stdin may not be easy because sudo by default closes additional file descriptors and sets a new, minimal environment. I guess a contraption using temporary files/fifos would work, but this is so hairy I won't even try.
So the script may or may not be enough for you; it depends on commands you need to run. Now you know a couple of its limitations. Good luck.
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
add a comment |
Probably the sudoers file on the remote side specifies the exact command you can run and it's su - serviceAccount. One or more additional options (like -c) will make the command not qualify. Any solution should use the exact su - serviceAccount command.
There is a way to do something about it, but it's not perfect. Start by running this on the server:
echo whoami | sudo su - serviceAccount
(sudo without -S will use the terminal to ask for your password (if needed) despite the redirection).
To make the approach more general, create a script on the server:
#!/bin/sh
printf '%s ' "@" | sudo su - serviceAccount
Save it as su-ser, and make it executable. Now you can test these:
./su-ser whoami
./su-ser 'whoami; whoami'
./su-ser ls -l
./su-ser 'ls -l'
Note these quotes don't propagate to the shell spawned by su. Each time printf builds a command from arguments that the script gets, this is passed as a string and then parsed by the final shell, with word splitting, globbing and such. This means all these
./su-ser echo 1 2 3
./su-ser echo "1 2 3"
./su-ser "echo 1 2 3"
will print 1 2 3. To pass a quoted string you need to quote quotes, e.g.:
./su-ser 'echo "1 2 3"'
The next step is to trigger this remote script from your local computer:
ssh -t tlous@server.example.com '"/path/to/su-ser" whoami'
You need -t in case sudo asks for the password. From the ssh command in your question body I can tell you probably understand this.
Note ssh also builds a command string. The above quoting would work even if /path/to/su-ser contained spaces. On the other hand, if the path is without spaces (and without characters like ;, *), a totally unquoted ssh … /path/to/su-ser whoami will work as well.
Proper quoting is not a trivial task at this point. Let's analyze what happens to the command.
- At first your local shell parses the string. It uses the most outer quotes (if any) to parse it right.
sshgets its arguments as an array. The quotes used up by the shell don't get this far.
sshdecides which arguments should be passed to the remote side and builds a string (in similar manner toprintfin our remote script).- This string is then parsed by the remote shell (the one spawned by
sshdon the server). The remote shell uses the (now) most outer quotes (if any) to parse it right.
su-sergets its arguments as an array. The quotes used up by the remote shell don't get this far.
su-serbuilds a string.- This string is then parsed by yet another shell (spawned by
suon the server). The shell uses the (now) most outer quotes (if any) to parse it right. - The command(s) you passed gets its arguments as an array. The quotes used up by the last shell don't get this far.
This means sometimes you need three levels of quotes to get the right result. An uncomplicated local command like
echo "1 2 3"
becomes
ssh -t tlous@server.example.com "'/path/to/su-ser' 'echo "1 2 3"'"
where the unescaped double-quotes get stripped by the local shell, the single-quotes get stripped by the remote shell; finally the escaped double-quotes (that in fact become unescaped as soon as the local shell strips the unescaped ones) tell the shell spawned by su that the string with multiple spaces is a single argument to echo. This way the output is
1 2 3
Another problem is the remote script passes commands to stdin of the final shell, so you cant easily use its stdin for another purpose. E.g. cat; whoami (try it) should print back whatever lines you type (terminate it with Ctrl+D), then the output of whoami. However if you run this on the server:
./su-ser 'cat; whoami'
cat will terminate immediately. This should work:
./su-ser 'cat /dev/tty; whoami'
(Again, use Ctrl+D to terminate cat). Now compare the behavior of this:
./su-ser '
whoami
whoami
whoami
'
to this:
./su-ser '
whoami
cat
whoami
'
The same stream feeds cat and the shell; it's not a good thing. Establishing separate channels for actual commands and the real stdin may not be easy because sudo by default closes additional file descriptors and sets a new, minimal environment. I guess a contraption using temporary files/fifos would work, but this is so hairy I won't even try.
So the script may or may not be enough for you; it depends on commands you need to run. Now you know a couple of its limitations. Good luck.
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
Probably the sudoers file on the remote side specifies the exact command you can run and it's su - serviceAccount. One or more additional options (like -c) will make the command not qualify. Any solution should use the exact su - serviceAccount command.
There is a way to do something about it, but it's not perfect. Start by running this on the server:
echo whoami | sudo su - serviceAccount
(sudo without -S will use the terminal to ask for your password (if needed) despite the redirection).
To make the approach more general, create a script on the server:
#!/bin/sh
printf '%s ' "@" | sudo su - serviceAccount
Save it as su-ser, and make it executable. Now you can test these:
./su-ser whoami
./su-ser 'whoami; whoami'
./su-ser ls -l
./su-ser 'ls -l'
Note these quotes don't propagate to the shell spawned by su. Each time printf builds a command from arguments that the script gets, this is passed as a string and then parsed by the final shell, with word splitting, globbing and such. This means all these
./su-ser echo 1 2 3
./su-ser echo "1 2 3"
./su-ser "echo 1 2 3"
will print 1 2 3. To pass a quoted string you need to quote quotes, e.g.:
./su-ser 'echo "1 2 3"'
The next step is to trigger this remote script from your local computer:
ssh -t tlous@server.example.com '"/path/to/su-ser" whoami'
You need -t in case sudo asks for the password. From the ssh command in your question body I can tell you probably understand this.
Note ssh also builds a command string. The above quoting would work even if /path/to/su-ser contained spaces. On the other hand, if the path is without spaces (and without characters like ;, *), a totally unquoted ssh … /path/to/su-ser whoami will work as well.
Proper quoting is not a trivial task at this point. Let's analyze what happens to the command.
- At first your local shell parses the string. It uses the most outer quotes (if any) to parse it right.
sshgets its arguments as an array. The quotes used up by the shell don't get this far.
sshdecides which arguments should be passed to the remote side and builds a string (in similar manner toprintfin our remote script).- This string is then parsed by the remote shell (the one spawned by
sshdon the server). The remote shell uses the (now) most outer quotes (if any) to parse it right.
su-sergets its arguments as an array. The quotes used up by the remote shell don't get this far.
su-serbuilds a string.- This string is then parsed by yet another shell (spawned by
suon the server). The shell uses the (now) most outer quotes (if any) to parse it right. - The command(s) you passed gets its arguments as an array. The quotes used up by the last shell don't get this far.
This means sometimes you need three levels of quotes to get the right result. An uncomplicated local command like
echo "1 2 3"
becomes
ssh -t tlous@server.example.com "'/path/to/su-ser' 'echo "1 2 3"'"
where the unescaped double-quotes get stripped by the local shell, the single-quotes get stripped by the remote shell; finally the escaped double-quotes (that in fact become unescaped as soon as the local shell strips the unescaped ones) tell the shell spawned by su that the string with multiple spaces is a single argument to echo. This way the output is
1 2 3
Another problem is the remote script passes commands to stdin of the final shell, so you cant easily use its stdin for another purpose. E.g. cat; whoami (try it) should print back whatever lines you type (terminate it with Ctrl+D), then the output of whoami. However if you run this on the server:
./su-ser 'cat; whoami'
cat will terminate immediately. This should work:
./su-ser 'cat /dev/tty; whoami'
(Again, use Ctrl+D to terminate cat). Now compare the behavior of this:
./su-ser '
whoami
whoami
whoami
'
to this:
./su-ser '
whoami
cat
whoami
'
The same stream feeds cat and the shell; it's not a good thing. Establishing separate channels for actual commands and the real stdin may not be easy because sudo by default closes additional file descriptors and sets a new, minimal environment. I guess a contraption using temporary files/fifos would work, but this is so hairy I won't even try.
So the script may or may not be enough for you; it depends on commands you need to run. Now you know a couple of its limitations. Good luck.
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
edited 19 hours ago
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
answered yesterday
Kamil MaciorowskiKamil Maciorowski
29.2k156288
29.2k156288
add a comment |
add a comment |
Tom Lous is a new contributor. Be nice, and check out our Code of Conduct.
Tom Lous is a new contributor. Be nice, and check out our Code of Conduct.
Tom Lous is a new contributor. Be nice, and check out our Code of Conduct.
Tom Lous is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1424578%2frun-command-from-sudo-su%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
