How can I run arbitrarily complex command using sudo over ssh?
Solution 1
A trick I use sometimes is to use base64 to encode the commands, and pipe it to bash on the other site:
MYCOMMAND=$(base64 -w0 script.sh)
ssh user@remotehost "echo $MYCOMMAND | base64 -d | sudo bash"
This will encode the script, with any commas, backslashes, quotes and variables inside a safe string, and send it to the other server. (-w0
is required to disable line wrapping, which happens at column 76 by default). On the other side, $(base64 -d)
will decode the script and feed it to bash to be executed.
I never got any problem with it, no matter how complex the script was. Solves the problem with escaping, because you don't need to escape anything. It does not creates a file on the remote host, and you can run vastly complicated scripts with ease.
Solution 2
See the -tt
option? Read the ssh(1)
manual.
ssh -tt root@host << EOF
sudo some # sudo shouldn't ask for a password, otherwise, this fails.
lines
of
code
but be careful with \$variables
and \$(other) \`stuff\`
exit # <- Important.
EOF
One thing I often do is use vim and use the :!cat % | ssh -tt somemachine
trick.
Solution 3
I think the easiest solution lies in a modification of @thanasisk's comment.
Create a script, scp
it to the machine, then run it.
Have the script rm
itself at the start. The shell has opened the file, so it's been loaded, and can then be removed without problems.
By doing things in this order (rm
first, other stuff second) it'll even be removed when it fails at some point.
Solution 4
You can use the %q
format specifier with printf
to take care of the variable escaping for you:
cmd="ls -al"
printf -v cmd_str '%q' "$cmd"
ssh user@host "bash -c $cmd_str"
printf -v
writes the output to a variable (in this case, $cmd_str
). I think that this is the simplest way to do it. There's no need to transfer any files or encode the command string (as much as I like the trick).
Here's a more complex example showing that it works for things like square brackets and ampersands too:
$ ssh user@host "ls -l test"
-rw-r--r-- 1 tom users 0 Sep 4 21:18 test
$ cmd="[[ -f test ]] && echo 'this really works'"
$ printf -v cmd_str '%q' "$cmd"
$ ssh user@host "bash -c $cmd_str"
this really works
I haven't tested it with sudo
but it should be as simple as:
ssh user@host "sudo -u scriptuser bash -c $cmd_str"
If you want, you can skip a step and avoid creating the intermediate variable:
$ ssh user@host "bash -c $(printf '%q' "$cmd")"
this really works
Or even just avoid creating a variable entirely:
ssh user@host "bash -c $(printf '%q' "[[ -f test ]] && echo 'this works as well'")"
Solution 5
UPDATE: Examples now explicitly use sudo
.
Here's a way to use Bash syntax with compound assignments to execute arbitrarily complex commands over SSH with sudo:
CMD=$( cat <<'EOT'
echo "Variables like '${HOSTNAME}' and commands like $( whoami )"
echo "will be interpolated on the server, thanks to the single quotes"
echo "around 'EOT' above."
EOT
) \
SSHCMD=$(
printf 'ssh -tq myuser@hostname sudo -u scriptuser bash -c %q' "${CMD}" ) \
bash -c '${SSHCMD}'
CMD=$( cat <<EOT
echo "If you want '${HOSTNAME}' and $( whoami ) to be interpolated"
echo "on the client instead, omit the the single quotes around EOT."
EOT
) \
SSHCMD=$(
printf 'ssh -tq myuser@hostname sudo -u scriptuser bash -c %q' "${CMD}" ) \
bash -c '${SSHCMD}'
Formatting commands properly to be executed dynamically somewhere else (e.g. nested shells, remote SSH shells, etc.) can be very tricky - see https://stackoverflow.com/a/53197638/111948 for a good description of why. Complicated bash structures, like the syntax above, can help these commands work properly.
For more information about how cat
and <<
combine to form inline here documents, please see https://stackoverflow.com/a/21761956/111948
Comments
-
VoY over 1 year
I have a system that I can only log in to under my username (myuser), but I need to run commands as other user (scriptuser). So far, I have come up with the following to run the commands I need:
ssh -tq myuser@hostname "sudo -u scriptuser bash -c \"ls -al\""
If however, when I try to run a more complex command, such as
[[ -d "/tmp/Some directory" ]] && rm -rf "/tmp/Some directory"
I quickly get into trouble with quoting. I'm not sure how I could pass this example complex command tobash -c
, when\"
already delimites the boundaries of the command I'm passing (and so I don't know how to quote /tmp/Some directory, which includes a spaces.Is there a general solution allowing me to pass any command no matter how complex/crazy the quoting is, or is this some sort of limitation I have reached? Are there other possible and perhaps more readable solutions?
-
user9517 over 9 yearsCopy a script to $remote then execute it.
-
VoY over 9 yearsThat would work, but I find a solution which leaves no script files behind (in case something fails etc.) would be a bit cleaner.
-
thanasisk over 9 yearshave the script rm itself at end of each run
-
Nils Toedtmann over 9 yearsConsider to use fabric fabfile.org. Can make you life much easier if you have to sudo remotely a lot.
-
mpontillo over 9 yearsCan we assume you've set up
sudo
so that it does not require a pasword prompt? -
Navern over 9 yearsfabric or ansible is the way to go. Consider to use something like this.
-
bbaassssiiee over 9 yearsIf you have Ansible installed this command shows the documentation for your use case: ansible-doc script
-
Anil Sharma over 9 yearsYou could try something like my answer to a question for dealing with embedded quotes
-
-
user9517 over 9 yearsUUOC you can use <
-
VoY over 9 yearsCan you modify the example to include
sudo -u scriptuser
? Would heredoc be usable considering I need to have variables in the script I'd be piping to the machine? -
jas_raj over 9 yearsI was trying:
echo "sudo `cat fileForSsh.txt`" | ssh ...
but I keep gettingsudo: sorry, you must have a tty to run sudo
. -
jas_raj over 9 yearsAlthough this question may help if you can get the
/etc/sudoers
file changed -
CodeGnome over 9 yearsIt's worth noting that in most cases you can substitute lzop or gzip for base64 for faster transfer times. However, there may be edge cases. YMMV.
-
ThoriumBR over 9 yearsGood note, but if it's a script, I don't expect any transfer to be more than a few kb.
-
Scott over 9 yearsOf course
:!cat % | (command)
can be done as:w !(command)
or:!(command) < %
. -
AVee over 9 yearsThis works for me:
ssh -tq user@host "sudo bash -s" < test.sh
-
answer42 over 9 yearsThere's a useless use of echo in here too.
base64 script | ssh remotehost 'base64 -d | sudo bash'
would be enough :) -
moebius_eye over 9 yearsYes. My line is a cat abuse
-
Jon L. about 9 yearsthis is an awesome solution. I've actually had to use printf before for a similar situation, but I always forget about it. Thanks for posting this :-)
-
dannysauer almost 9 yearsThat works best when combined with "ssh -t" in the case of remote access. Which is included in the question, but bears repeating for the "I can't read this /whole/ page" folks. :)
-
Soham Chakraborty over 7 yearsWhile I haven't tested this solution, will it output result of the script, say for example 'yum check-update' in the stdout? I wanted to ask because if someone thinks I am doing something obviously naive, I can pick up few things.
-
N M over 6 yearsWhat if I'm using a sudosh filter? How do I then run an arbitarily complex command?
-
Admin over 5 yearsrunning
ssh -tt
causes my ssh to not terminate after certain commands are run (addingexit
at the end doesn't help) -
Pedro Vagner about 4 yearsThe question asks for a single
sudo
command. -
Dejay Clayton about 4 years@PedroVagner - thanks for pointing that out, I've updated my answer accordingly.