Running Complex Commands with sudo

Mar 30, 2009 By Don Marti

HOW-TOs

If you use sudo to run commands as root, you've probably run into “permission denied” problems when only part of a pipeline or part of a command is running with root permissions.

This fails with “permission denied” because the file is writable only by root:

$ echo 12000 > /proc/sys/vm/dirty_writeback_centisecs

But, this fails too:

$ sudo echo 12000 > /proc/sys/vm/dirty_writeback_centisecs

Why? The /bin/echo program is running as root, because of sudo, but the shell that's redirecting echo's output to the root-only file is still running as you. Your current shell does the redirection before sudo starts.

The solution is to run the whole pipeline under sudo. There are a couple ways to do it, but I prefer:

echo "echo 12000 > /proc/sys/vm/dirty_writeback_centisecs" | sudo sh

That way, I can type everything before the pipe character, and see what I'm about to run as root, then press the up arrow and add the | sudo sh to do it for real. This is not a big deal for short, obvious pipelines, but when you're building up a more complicated command as root, it's safer to look at it first before you run it.

______________________

Comments

Why? The /bin/echo program

Submitted by boediger (not verified) on Sat, 04/18/2009 - 06:59.

The solution is to run the whole pipeline under sudo. There are a couple ways to do it, but I prefer:

boediger

A whole article decribing a

Submitted by Anonymous (not verified) on Sun, 04/12/2009 - 10:30.

A whole article decribing a single command line method? Surely more thought could have gone into this.

A whole article decribing a

Submitted by K31th (not verified) on Mon, 04/06/2009 - 07:34.

A whole article decribing a single command line method? Surely more thought could have gone into this.

tee shirts?

Submitted by felipe (not verified) on Sat, 04/04/2009 - 22:28.

man 1 tee
just as the above post explains, you can use tee. It is easier to visualise what's happening.

Proto's way is better.

Submitted by jpenny (not verified) on Fri, 04/03/2009 - 11:08.

Sorry, bad cut and paste. Proto's method shows:

Apr 3 12:00:09 xxxxxxxx sudo: xxxxxxx : TTY=pts/22 ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh -c echo 0 >/proc/sys/net/ipv4/ip_forward

First set of xxxxxxxx is machine name, second is userid.

Proto's way is better

Submitted by jpenny (not verified) on Fri, 04/03/2009 - 11:13.

It gives better logging.

Using proto's method, auth.log shows:

Apr 3 12:00:12 xxxxxxxxx sudo: xxxxxxxx : TTY=pts/22 ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/tail /var/log/auth.log

Don's way just shows:

Apr 3 11:58:02 xxxxxxxx sudo: xxxxxxxx : TTY=pts/22 ; PWD=/tmp ; USER=root ; COMMAND=/bin/sh

sudo: cd: command not found

Submitted by Anonymous (not verified) on Fri, 04/03/2009 - 10:04.

The one that drives me crazy is when I'm trying to change to a directory with only root access:

john@p490:~$ cd /root
john@p490:/root$ cd .gconf
bash: cd: .gconf: Permission denied
john@p490:/root$ sudo cd .gconf 
sudo: cd: command not found

I always just give up at that point and change to the root user account with:

$ sudo su -

but I guess I could stack up the commands as shown above.

I do the same with: sudo sh

Submitted by Proto (not verified) on Wed, 04/01/2009 - 16:42.

I do the same with:

sudo sh -c "echo 12000 > /proc/sys/vm/dirty_writeback_centisecs"

This works for the same reason, it runs tee with sudo. You can also use
tee -a
to append to file instead of overwriting it.

Already a subscriber? Click here for subscriber services.


OpenLDAP Everywhere Reloaded, Part I	May 23, 2012
Chemistry the Gromacs Way	May 21, 2012
Make TV Awesome with Bluecop	May 16, 2012
Hack and / - Password Cracking with GPUs, Part I: the Setup	May 15, 2012
An Introduction to Application Development with Catalyst and Perl	May 14, 2012
Cryptocurrency: Your Total Cost Is 01001010010	May 09, 2012