How do I sudo over sshfs?

Question

On my local host alpha I have a directory foo that is mapped via sshfs to host bravo as follows:

$ sshfs charlie@bravo:/home/charlie ~/foo

However, on host bravo there is another user, delta, that I want to sudo /bin/su as, so that I can do work in bravo:/home/delta. delta may not be logged into via ssh; for reasons which I cannot change, you can only sudo over to delta once you're on the machine.

Normally I'd ssh into bravo, then sudo to delta, but I'm wondering if there's any way that I can do that when I've got charlie's home dir mounted via ssh.

Answer 1

This will vary depending on the OS of the server you are connecting to. For centOS 5 you would add to the sshfs mount options:

-o sftp_server="/usr/bin/sudo /usr/libexec/openssh/sftp-server"

For Ubuntu 9.10 (I think, might be 9.04, but it's probably the same for both) or Debian you would add:

-o sftp_server="/usr/bin/sudo /usr/lib/openssh/sftp-server".

To find an the correct path for other systems running openSSH run

sudo grep Subsystem /etc/ssh/sshd_config

and look for the location of the sftp-server binary.

You might need to setup sudo with NOPASS:{path to sftp-server} or prevalidate with ssh user@host sudo -v so that sudo has a updated timestamp for notty. In my case, my two commands were:

ssh login_user@host sudo -v
sshfs login_user@host:remote_path local_path -o sftp_server="/usr/bin/sudo -u as_user /usr/lib/ssh/sftp-server"

Answer 2

You can use bindfs + sshfs to access other user files (even root).

Firstly you mount your 'root' or any other directory under your user with remapped uid.

ssh -t USER@SERVER "mkdir ~/tmproot; sudo bindfs --map=root/USER / ~/tmproot"

and then simply sshfs into the directory.

sshfs USER@SERVER:tmproot TARGET

But for security it's better to not map whole root / but only part that you need. For example: You can use this method to mount any other user directory to your, for example files from /var/www into ~/www and remap root into your user so you will have full access to it.

If you need access to preserve uid or have access to multiple users then i would create a new user for example "rootfs" with uid=0 and /bin/false and do a normal sshfs.

Answer 3

By deduction, I think this is impossible to achieve in a simple command.

This is because sshfs calls ssh without passing any command but, instead, uses SFTP which is a subsystem of SSH.

From the sshfs manpage:

On the remote computer the SFTP subsystem of SSH is used.

Plus, changing the current user (or 'su' or 'sudo') is not part of the SFTP protocol, though this seems like a very often requested feature.

Answer 4

I ended up with this universal one-liner:

sshfs -o sftp_server="/usr/bin/sudo '$(grep sftp-server /etc/ssh/sshd_config | awk -F" " "{print \$3}")' "

This should be basically equivalent to André Kugland's answer, but more readable. It uses:

1. awk to get the SFTP submodule config line's 3rd column (path):

grep sftp-server /etc/ssh/sshd_config | awk -F" " "{print \$3}"

2. single quotes to avoid variable expansion on the client machine

"/usr/bin/sudo '$(grep sftp-server /etc/ssh/sshd_config | awk -F" " "{print \$3}")' "

Answer 5

You might try (but I don't think it will work):

sshfs -o ssh_command='ssh sudo /bin/su bravo' charlie@bravo:/home/charlie ~/foo

I don't understand sshfs very well, so you might be able to get something like that to work, but I couldn't say how, and I would be a little surprised.

Another possibility is to put the command 'sudo /bin/su bravo' in ~/.ssh/rc, but that would affect all of your fs mountings (assuming it worked, which I also doubt) as well as your normal use of ssh.

Sorry for being a debbie downer.

Answer 6

Probably, the best way is through file permissions, as @artifex proposes.

As @Weboide says, it is impossible through sshfs.

But I guess you could create a simple script, let's call it sudossh that will take your $PWD, convert it to /home/delta/ and run the command through ssh and sudo on the remote machine.

Something like this:

#!/usr/bin/env bash

ssh -t charlie@bravo "cd `pwd | sed 's/user\/foo/delta/'`; sudo -u delta $*"

After that you can execute sudossh command and remember to use relative paths.

If you use ssh-agent, you just have to enter your sudo password.

Answer 7

You can sed your way into /etc/ssh/sshd_config to find where sftp-server is, and then run it with sudo. The advantage of using this is that it will work on servers running different distros, as long as ssh_config is in the same place.

#!/bin/sh
sshfs -o sftp_server='/usr/bin/env sudo "$(sed -nE "/^[[:blank:]]*[Ss][Uu][Bb][Ss][Yy][Ss][Tt][Ee][Mm][[:blank:]]+sftp[[:blank:]]+/{s///;s/[[:blank:]]*(|#.*)$//;p;q}" /etc/ssh/sshd_config)"' "$@"