Pass arguments to a command run by another user

Question

I have a bash script that is supposed to take some arguments and then run in a different user: test.sh

#!/bin/bash
sudo su user2 <<'EOF'
echo $1
EOF

However it prints blank:

$ ./test.sh haha

I understand that it is because environment variable are reset(?). How can I pass this argument? Security wise I've heard I should not disable environment resetting. The only way comes to my mind to solve this is writing $1 to a file and then reading it back again by user2. But I guess there should be a much better way.

The shebang line must have an octothorpe; i.e., #!/bin/bash. — HalosGhost, Sep 19 '14 at 01:31
ooops. # is in the file but somehow didn't end up in the copy paste. Thanks for pointing that out. — Seperman, Sep 19 '14 at 01:33

score 9 · Accepted Answer · answered Sep 19 '14 at 03:13

If you want the entire script to run as another user, my usual technique for doing this is adding something similar to the following to the very top of the script:

target_user="foo"
if [ "$(whoami)" != "$target_user" ]; then
  exec sudo -u "$target_user" -- "$0" "$@"
fi

Note that I use sudo here and not su. su makes it stupidly difficult to pass arguments properly, while sudo does not have this issue.

If you only want to run a small bit of code, you can alternatively do something such as:

target_user="foo"
sudo -u "$target_user" sh -s "$@" <<'EOF'
  echo "$@"
EOF

This will launch sh, pass it the current script's arguments, and then execute the script provided via the heredoc.

your method works pretty well. However I went with the simpler method that G-Man recommended which is not to quote EOF. If you believe your method is for some reason better i.e. security wise or flexibility, I would like to know why please. Thanks — Seperman, Sep 19 '14 at 04:45

score 2 · Answer 2 · answered Sep 19 '14 at 02:07

2

By putting the EOF in quotes, you are effectively quoting the "here document" (echo $1), such that $1 is interpreted by the user2 shell. But that shell doesn't have any positional parameters. I can't test these right now, but here are a couple of approaches that might work:

Don't quote EOF:
```
sudo su user2 << EOF
echo $1
EOF
```

Pass values through the environment:

export my_val="$1"
sudo su user2 << 'EOF'
echo "$my_val"
EOF

answered Sep 19 '14 at 02:07

G-Man Says 'Reinstate Monica'

22,870

sudo su. WHYYYYY? – phemmer Sep 19 '14 at 03:14
Not quoting EOF worked. – Seperman Sep 19 '14 at 04:41
@Erasmose Not quoting EOF works only in simple cases. If the argument contains characters that are interpreted by the shell, they'll be parsed again by the inner shell. For example, try myscript '; this_could_be_rm -rf /' – Gilles 'SO- stop being evil' Sep 19 '14 at 21:27
Using the environment only works if sudo doesn't strip the variable. A variable name beginning with LC_ is more likely to go through. – Gilles 'SO- stop being evil' Sep 19 '14 at 21:29

score 2 · Answer 3 · edited May 23 '17 at 12:40

2

This might work :

#!/bin/bash
su - user2 -c 'echo "$0" "$@"' -- "$@"

Use simple quotes ' to pass the command argument to su so you don't have to escape the double quotes ".

References :

Escaping bash function arguments for use by su -c - Stack Overflow

bash - Passing arguments to su-provided shell - Unix & Linux Stack Exchange

edited May 23 '17 at 12:40

Community

1

answered Apr 27 '15 at 09:06

Daishi

196

Pass arguments to a command run by another user

3 Answers3