Executing scripts over ssh (and sudo su)
 

Good morning,

I've been googling about this for a long while but I failed founding how to archive it (if possible....)

I need to run a a script on a Unix server from a linux machine:

myuser -> my user to connect to the server.
unixserver -> the server where the script is going to run

The problem is that I have to run this script with a generic system user (wich we are going to call: sysuser).

I've tried the following:

ssh -t myuser@unixserver "sudo su - sysuser && whoami"

But this, obviously, log you to the server, then on sysuser and when you exit the sysuser session it will launch the 'whoami' command...

I have to sudo su sysuser, and it is not possible for me to execute the script from myuser neither to change this infrastructure.

I don't have the sysuser password so I can't just su - sysuser.


I've tried too:

ssh -t myuser@unixserver "sudo su - sysuser --command=whoami"

but I've received the error:

Sorry, user myuser is not allowed to execute '/usr/bin/su - sysuser --command=whoami' as root on unixserver.

the same for:

ssh -t myuser@unixserver "sudo -u sysuser whoami"

I will appreciate you help and sorry for my awful English.

thanks!

I'd say "sudo <user> <command>" is the better form to use, but as you can only use su... I'd suggest it is probably the case that the visudos file has only been set-up to only allow sudo su. Do you have control on the end server or not?

in that case I would try to construct a shell script to do the job (as root) on unixserver and execute it from your host.

The program su is probably the wrong way to go about things. What are you trying to solve? Do you need to run lots of different programs as sysuser, or just one or two?

About using sudo, the user myuser needs permission in sudoers to run things as the user sysuser. But rather than editing /etc/sudoers directly, you might consider adding a file under /etc/sudoers.d/ and making your additions there. See the manual page for sudoers for details.

The book sudo Mastery, by M W Lucas, is quite good about giving a thorough walk through with examples. He also has a video around called "sudo: you're doing it wrong" with slides available.

Thanks to everyone... that was quick! :D


Ok, as I've said I can't do modification to the system, I only have permission to execute /usr/bin/su to sysuser from myuser and I have no root access.

I meant, the only thing I can do when I connect to this server is:

sudo su - sysuser
./sysscript

What I want to do is to write a script that I will execute on my linux laptop so I can execute this 'syscript' on many servers without logging manually on each one.

There might be several possibilities, but you'll need first confirm what you really are allowed to run on the remote machine.

That will tell you if you are allowed to run su and if there are any limitations on options or runtime arguments.

I think I know the issue, the visudo file has an explicit usage of su which is broken the moment you add the --command alias on it.

To be fair, at the moment you have granted a user "sudo su", then you might as well grant all in sudo because a user with sudo su can simply edit the sudoers file to give themselves that anyway.

Thanks Turbocapitalist, I confirm you that the only thing I can do is the sudo su to this sysuser. This is an enterprise ldap and my user is very limited.

Ok. Then maybe it has to be formulated like this:

If not, and you have restrictions on su, then you'll always have to it manually instead until you can convince the sysadmin to tweak the sudoers file for you.

Thanks to everyone... I guess I'll have to do a lot of redundant job :(

If you have a system with lots of servers in it that you have to do repeat processes like this, then maybe it'd be best to suggest moving it to some form of central control such as puppet, chef or salt. That is to whomever is in charge.