How do I sudo over sshfs?

Question

On my local host alpha I have a directory foo that is mapped via sshfs to host bravo as follows:

$ sshfs charlie@bravo:/home/charlie ~/foo

However, on host bravo there is another user, delta, that I want to sudo /bin/su as, so that I can do work in bravo:/home/delta. delta may not be logged into via ssh; for reasons which I cannot change, you can only sudo over to delta once you're on the machine.

Normally I'd ssh into bravo, then sudo to delta, but I'm wondering if there's any way that I can do that when I've got charlie's home dir mounted via ssh.

This may be best solved with file permissions. – artifex Jul 08 '10 at 07:53 — artifex, Jul 08 '10 at 07:53

score 51 · Answer 1 · edited Aug 15 '17 at 15:30

51

This will vary depending on the OS of the server you are connecting to. For centOS 5 you would add to the sshfs mount options:

-o sftp_server="/usr/bin/sudo /usr/libexec/openssh/sftp-server"

For Ubuntu 9.10 (I think, might be 9.04, but it's probably the same for both) or Debian you would add:

-o sftp_server="/usr/bin/sudo /usr/lib/openssh/sftp-server".

To find an the correct path for other systems running openSSH run

sudo grep Subsystem /etc/ssh/sshd_config

and look for the location of the sftp-server binary.

You might need to setup sudo with NOPASS:{path to sftp-server} or prevalidate with ssh user@host sudo -v so that sudo has a updated timestamp for notty. In my case, my two commands were:

ssh login_user@host sudo -v
sshfs login_user@host:remote_path local_path -o sftp_server="/usr/bin/sudo -u as_user /usr/lib/ssh/sftp-server"

edited Aug 15 '17 at 15:30

Jaydeep Dave

11
3

answered Jul 09 '10 at 16:40

Craisis

511
3
2

1

Thanks, this is a very neat 'trick'. I just added a "-u " to the sudo for my situation – jor Nov 17 '10 at 09:12
1

Very good, worked flawlessly. My only point is that there is /usr/bin/sudo twice in the example, which seems unnecessary. – xaralis Aug 01 '12 at 08:31
1

@Craisis Sorry to bring up old post, but I want to ssh into a CentOS 6.5 server with a basic user, but mount a folder that's root access only. Would this be correct: `sshfs basicuser@remotehost:remote_path local_mount_path -o sftp_server="/usr/bin/sudo -u root /usr/libexec/openssh/sftp-server"`? – Don Rhummy Jan 30 '14 at 21:57
2

`ssh host sudo -v` doesn't make my sudo happy - it wants a tty before it lets me sudo. Thoughts? – w00t May 30 '14 at 18:03
1

@w00t Use `ssh -t host sudo -v` to connect with a pseudo terminal. – Sebi Apr 13 '17 at 14:14
@sebi thanks! Weird, I have been using ssh -t since at least 2001, no idea why I wrote that comment :) – w00t Apr 13 '17 at 16:32
Minor addition: newer sudo implementations have timestamps tied to the tty as well. To remedy/workaround, add some form of "Defaults !tty_tickets" to the remote server '/etc/sudoers'. – crimson-egret Dec 14 '17 at 17:23
Working for me with Android (only way I found to get write access to DCIM folder) with this option: `sftp_server="/system/xbin/su -c /data/data/berserker.android.apps.sshdroid/dropbear/sftp-server"` – calandoa Aug 29 '18 at 16:20
2

@eggo @Sebi @calandoa @xaralis Do this command work also if I want to sudo as root in debian 9 ? Because if I use: `ssh -t myuser@host sudo -v sshfs myuser@host:remote_path local_path -o sftp_server="/usr/bin/sudo -u root /usr/lib/openssh/sftp-server"` it doesn't work :\ - it just says "remote hosts has disconnected" – user3450548 Nov 06 '18 at 18:09
for me it works with `ssh`, but for sshfs I get `remote host has disconnected` :c – xeruf Jun 29 '22 at 11:54

score 6 · Answer 2 · answered Sep 12 '17 at 12:19

You can use bindfs + sshfs to access other user files (even root).

Firstly you mount your 'root' or any other directory under your user with remapped uid.

ssh -t USER@SERVER "mkdir ~/tmproot; sudo bindfs --map=root/USER / ~/tmproot"

and then simply sshfs into the directory.

sshfs USER@SERVER:tmproot TARGET

But for security it's better to not map whole root / but only part that you need. For example: You can use this method to mount any other user directory to your, for example files from /var/www into ~/www and remap root into your user so you will have full access to it.

If you need access to preserve uid or have access to multiple users then i would create a new user for example "rootfs" with uid=0 and /bin/false and do a normal sshfs.

score 1 · Answer 3 · answered Jul 08 '10 at 02:04

1

By deduction, I think this is impossible to achieve in a simple command.

This is because sshfs calls ssh without passing any command but, instead, uses SFTP which is a subsystem of SSH.

From the sshfs manpage:

On the remote computer the SFTP subsystem of SSH is used.

Plus, changing the current user (or 'su' or 'sudo') is not part of the SFTP protocol, though this seems like a very often requested feature.

answered Jul 08 '10 at 02:04

Weboide

3,275
1
23
32

this is not impossible. Craisis's solution works. – Jayen Dec 25 '11 at 03:09
Of course yes, since he overrides the command that starts the subsystem and adds sudo. Good finding but you have to set up sudo without a password (or use a timestamp), which may decrease security. but I won't argue since OP really wanted to do that. – Weboide Jan 06 '12 at 14:13

score 0 · Answer 4 · answered Jul 08 '10 at 01:51

You might try (but I don't think it will work):

sshfs -o ssh_command='ssh sudo /bin/su bravo' charlie@bravo:/home/charlie ~/foo

I don't understand sshfs very well, so you might be able to get something like that to work, but I couldn't say how, and I would be a little surprised.

Another possibility is to put the command 'sudo /bin/su bravo' in ~/.ssh/rc, but that would affect all of your fs mountings (assuming it worked, which I also doubt) as well as your normal use of ssh.

Sorry for being a debbie downer.

It does not work. The @Craisis's answer is the proper one. – eNca Mar 08 '20 at 20:10 — eNca, Mar 08 '20 at 20:10

chmeee · Answer 5 · 2010-07-08T11:00:21.703

Probably, the best way is through file permissions, as @artifex proposes.

As @Weboide says, it is impossible through sshfs.

But I guess you could create a simple script, let's call it sudossh that will take your $PWD, convert it to /home/delta/ and run the command through ssh and sudo on the remote machine.

Something like this:

#!/usr/bin/env bash

ssh -t charlie@bravo "cd `pwd | sed 's/user\/foo/delta/'`; sudo -u delta $*"

After that you can execute sudossh command and remember to use relative paths.

If you use ssh-agent, you just have to enter your sudo password.

André Kugland · Answer 6 · 2022-06-24T20:59:51.060

You can sed your way into /etc/ssh/sshd_config to find where sftp-server is, and then run it with sudo. The advantage of using this is that it will work on servers running different distros, as long as ssh_config is in the same place.

#!/bin/sh
sshfs -o sftp_server='/usr/bin/env sudo "$(sed -nE "/^[[:blank:]]*[Ss][Uu][Bb][Ss][Yy][Ss][Tt][Ee][Mm][[:blank:]]+sftp[[:blank:]]+/{s///;s/[[:blank:]]*(|#.*)$//;p;q}" /etc/ssh/sshd_config)"' "$@"

How do I sudo over sshfs?

6 Answers6

Linked