Home / server / Questions / 160524
Accepted
cmcculloh
Asked: 2010-07-15 15:51:53 +0800 CST

using su inside of a shell script

  • 772

I'm automating a deploy process and I want to be able to just call one .sh file on my machine, have it do my build and upload the .zip to the server and then do a bunch of stuff on the server. One of the things I need to do requires me to be root. So, What I want to do is this:

ssh [email protected] <<END_SCRIPT
su - 
#password... somehow...
#stop jboss
service server_instance stop
#a bunch of stuff here
#all done!
exit
END_SCRIPT

Is this even possible?

bash ssh sudo su

8 Answers

  1. Best Answer

    Have you considered a password-less sudo instead?

    • 15

  2. Instead of su, use sudo with the NOPASSWD set in sudoers for appropriate command(s). You'll want to make the allowed command set as limited as possible. Having it call run a script for the root commands may be the cleanest way and by far easiest to make secure if you are unfamiliar with sudoer file syntax. For commands/scripts that require the full environment to be loaded, sudo su - -c command works although may be overkill.

    • 5

  3. What you're describing might be possible with expect.

    • 3

  4. You can pass a command as an argument to SSH to just run that command on the server, and then exit:

    ssh user@host "command to run"

    This also works for a list of multiple commands:

    ssh user@host "command1; command2; command3"

    Or alternatively:

    ssh user@host "
            command1
            command2
            command3
    "

    As other users have pointed out before me, running su on the server will launch a new shell instead of executing subsequent commands in the script as root. What you need to do, is to use either sudo or su -c, and force TTY allocation to SSH with the -t switch (required if you need to enter root password):

    ssh -t user@host 'su - -c "command"'
    ssh -t user@host 'sudo command'

    To sum it all up, one way of accomplishing what you want to do, would be:

    #!/bin/bash
    ssh -t [email protected] "
            sudo some_command
            sudo service server_instance stop
            sudo some_other_command
    "

    Since sudo typically remembers you authorization level for a few minutes before asking for the root password again, just prepending sudo to all commands you need to run as root is likely the easiest way to run commands as root on the server. Adding a NOPASSWD rule for your user in /etc/sudoers would make the process even smoother.

    I hope this helps :-)

    • 3

  5. No. Even if you get the password to su, you still have to deal with the fact that su will open a new shell, which means that your further commands will not be passed to it. You will need to write a script for the root operations along with a helper executable that can invoke it with the appropriate privileges.

    • 2

  6. Write an expect script. I know you've already found an answer for this, but this might be helpful if you have to login to a bunch of servers that require interactive password entry.

    It's a language based off of TCL, so it might be a bit weird compared to plain old shell scripts. But it handles automation of text input and, you guessed it, "expects" certain bits of output before entering in any sort of automated password entry or escalation of privileges.

    Here's a good link as a guide: http://bash.cyberciti.biz/security/expect-ssh-login-script/

    Just in case the site goes down:

    #!/usr/bin/expect -f
# Expect script to supply root/admin password for remote ssh server
# and execute command.
# This script needs three argument to(s) connect to remote server:
# password = Password of remote UNIX server, for root user.
# ipaddr = IP Addreess of remote UNIX server, no hostname
# scriptname = Path to remote script which will execute on remote server
# For example:
#  ./sshlogin.exp password 192.168.1.11 who
# ------------------------------------------------------------------------
# Copyright (c) 2004 nixCraft project <http://cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ----------------------------------------------------------------------
# set Variables
set password [lrange $argv 0 0]
set ipaddr [lrange $argv 1 1]
set scriptname [lrange $argv 2 2]
set arg1 [lrange $argv 3 3]
set timeout -1
# now connect to remote UNIX box (ipaddr) with given script to execute
spawn ssh root@$ipaddr $scriptname $arg1
match_max 100000
# Look for passwod prompt
expect "*?assword:*"
# Send password aka $password
send -- "$password\r"
# send blank line (\r) to make sure we get back to gui
send -- "\r"
expect eof
    • 1

  7. I know this is a bit late but I would personally use Net::SSH::Expect, available from CPAN.

    http://search.cpan.org/~bnegrao/Net-SSH-Expect-1.09/lib/Net/SSH/Expect.pod

    • 1

  8. You can use 'ssh example.com su -lc "$cmd"'.

    When command contains options, you need to quote it, otherwise "su" might eat them ("su: invalid option -- 'A').

    ssh -AX -tt example.com 'su -lc "tmux new-session -A"'
    • 0