Confusion with "su -c" and quotes, user context switching?

kchinnam · May 28, 2013, 8:01pm

Trying to execute commands for different Unix user with that user's environment variable context without fully switching as that user using sudo && su capabilities.
Hoping this would help with security and not having to waste time switching between 10 different app users on same server.

I do not understand why 'ls' command would not get executed, but 'ls -l' would from below output!?..
Does anyone know why?

( Using solaris8, ksh Version: M-11/16/88 )

 
/home/userA>sudo -l
(root) /usr/bin/su - userB *
 
/home/userA>sudo /usr/bin/su - userB '/bin/ls' 
ksh: ls: cannot execute
 
# double quotes do not make any difference
/home/userA>sudo /usr/bin/su - userB "/bin/ls"
ksh: /bin/ls: cannot execute
 
 # Here " -c " option makes this work !
/home/userA>sudo /usr/bin/su - userB -c '/bin/ls'
folderA folderB fileA fileB ...
 
# giving command options make this work.. why?
/home/userA>sudo /usr/bin/su - userA '/bin/ls -l' 
drwxr-x--x 8 userB groupX 8192 Jan 1 00:20 BKUP
..........

[SIZE=3][FONT=Bodoni MT][SIZE=3][FONT=Bodoni MT][SIZE=3][FONT=Bodoni MT][SIZE=3][FONT=Bodoni MT][SIZE=3][FONT=Bodoni MT]Please explain what difference does "-c" really make?
I am able to execute commands as a sudo userB and his env variables(.profile, .login etc) without "-c" option as well.

[/FONT][/SIZE][/FONT][/SIZE][/FONT][/SIZE][/FONT][/SIZE][/FONT][/SIZE]

migurus · May 28, 2013, 8:26pm

This is how I do it:

 
su -c 'command-to-be-run-under-new-user' new-user

kchinnam · May 28, 2013, 10:27pm

I just tried your way of doing it,, it seems even worse, at least on my server..

 
/home/userA>sudo /usr/bin/su -c '/bin/ls -l' userB
Sorry, user userA is not allowed to execute '/usr/bin/su -c /bin/ls -l userB' as root on serverX.

Most of the commands I tested so far are working fine with either --> su - <userid> '<command>' or su -c <userid> '<command>'.

My problem is why a simple command like 'ls' would not work but 'ls -l' does, making this a scary half baked solution..

alister · May 28, 2013, 10:43pm

That's asking ksh to interpret ls, which it cannot do because /bin/ls is not a ksh script; it's a binary executable.

Compare

ksh /bin/ls

versus

ksh -c /bin/ls

Regards,
Alister

kchinnam · May 28, 2013, 11:42pm

Got it.
ksh man page is more clear about what ' -c ' does ---->

 -c command-string the shell executes the command(s) contained in command-string

If I put a space character after 'ls', its working, does space tell shell that its not a script, but its a command !?

 
/home/userA>ksh 'ls'    
ksh: ls: cannot execute
/home/userA>ksh 'ls '
folderA folderB fileA fileB ...

MadeInGermany · May 30, 2013, 1:17pm

This is indeed an undocumented(?) feature of ksh,
and is also implemented in pdksh. (But not implemented in sh,bash,zsh.)

ksh "command args"

behaves like

ksh -c "command args"

and it is sufficient to provide a space without args

ksh "command "

But better use the explicit -c because it works with all shells!

kchinnam · June 3, 2013, 7:17am

Appreciate you taking time to clarify this.. I will make a note of it and use 'su -c'.