0

I need to run a script from server A in Server B. After ssh into server B, I ran the following command:

sudo ssh root@ip_A 'bash -s' < root/work/task.sh

I am getting the error below:

-bash: /root/work/task.sh: Permission denied.

On server A, I have done sudo chmod 777 task.sh.

Please thanks.

Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
user3782604
  • 330
  • 1
  • 19
  • `sudo` doesn't change the permissions used for redirections such as `<`; such redirections happen **before** the command being run is started. – Charles Duffy Jan 07 '18 at 02:42
  • 1
    BTW, don't **ever** `chmod 777` anything. Not ever, under any circumstances. You're better off with your system broken than with it insecure. – Charles Duffy Jan 07 '18 at 02:43
  • ...anyhow, having world-readable permissions for `task.sh` doesn't help at all if the directory it's in isn't readable by the current user. – Charles Duffy Jan 07 '18 at 02:44
  • BTW, this is effectively an analogue to [sudo permission denied](https://superuser.com/questions/201829/sudo-permission-denied). It has nothing at all to do with ssh -- you could run `sudo cat – Charles Duffy Jan 07 '18 at 02:46
  • ...so, now you've edited the question enough that the original answer doesn't make sense. Generally speaking, when you need to do that after an answer is already given, you should **ask a new question instead**. Rolled back on that account. – Charles Duffy Jan 07 '18 at 04:34
  • Hi, sorry. should I put a reference back to this thread on the new thread? – user3782604 Jan 07 '18 at 05:53

2 Answers2

3

This is one of the few places where cat adds value even when not concatenating multiple files:

sudo cat /root/work/task.sh | ssh root@ip_A 'bash -s'

Because redirections such as < are run by the shell before the program being invoked is started, sudo can't change the permissions used for such redirections (it hasn't started yet!). By contrast, sudo cat somefile runs sudo first, then cat, which then opens somefile; since sudo runs first in that case, escalated permissions are available.

Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
  • I tried this command in server B manually, it says cat: root/work/task.sh: No such file or directory. I confirmed the spelling is correct and the file is there in server A. – user3782604 Jan 07 '18 at 03:24
  • its /root/xxxx, not root/xxxx – Shen Yudong Jan 07 '18 at 03:52
  • @yudongshen, the OP used `root/xxxx`. They know their own paths better than we do (in theory) -- and if it was wrong relative to the location they started in, they'd have a different error, not permissions not found. – Charles Duffy Jan 07 '18 at 04:32
  • @user3782604, the command I gave above is written to be run on server B. – Charles Duffy Jan 07 '18 at 04:33
0

i test case 1:

sudo ssh root@ip_A 'bash -s < /root/work/task.sh'

which task.sh saved in ip_A, and works and test case 2:

sudo ssh root@ip_A 'bash -s' < /root/work/task.sh

and it works too, no task.sh in ip_A, only has this file in local host.

do not know what your problem, can u show us your tash.sh?

Shen Yudong
  • 1,190
  • 7
  • 14
  • To reproduce the OP's problem, run test-case 2 as a user without access to read `/root/work/task.sh`. (BTW, "I can't reproduce this problem" is not, generally speaking, an answer). – Charles Duffy Jan 07 '18 at 03:06
  • in case 2,it is a local file, and no matter the file has x permission or not. – Shen Yudong Jan 07 '18 at 03:12
  • I retested case 1, still having permission denied issue. Tried case 2, the command was executed but didn't return. Just hung there. My task.sh is just #!/bin/bash for f in {1..10} do echo hello > "$f.txt" done – user3782604 Jan 07 '18 at 03:13
  • Ok, case 2 returned with connection timeout. It is waiting for my server A password? How do I send this password with bash -s command? – user3782604 Jan 07 '18 at 03:17
  • can your task.sh only has one command, like ls or pwd? just have a try – Shen Yudong Jan 07 '18 at 03:18
  • @user3782604 you can google ssh without password, in case 2,i dont need input password – Shen Yudong Jan 07 '18 at 03:22
  • I edited my task to do just ls, it still returns with connection timeout. – user3782604 Jan 07 '18 at 03:35
  • @user3782604 do it like case 1. or run your tash.sh in ip-a – Shen Yudong Jan 07 '18 at 03:51
  • case 1 permission denied. I'm trying to do ssh without password, but how long does it take to ssh-copy-id? I'm following this: https://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id/ but it seems to take forever to complete.... – user3782604 Jan 07 '18 at 03:58
  • @yudongshen, eh? If the user is running the commands described as user `ubuntu` (f/e), and `ubuntu` doesn't have access to `/root`, then... well, there's our permission-denied error, exactly as the OP described in the original unedited question (since, as I described in my answer, redirections don't benefit from `sudo`). – Charles Duffy Jan 07 '18 at 04:35
  • @CharlesDuffy, since ssh as a root user, will execute script as a root user. – Shen Yudong Jan 07 '18 at 05:16
  • @yudongshen, as the OP originally asked the question they were running `sudo ssh ... – Charles Duffy Jan 07 '18 at 05:32
  • See https://superuser.com/questions/201829/sudo-permission-denied, describing the exact same bug for output redirections. – Charles Duffy Jan 07 '18 at 05:32
  • @CharlesDuffy, you right, this may duplicate with https://stackoverflow.com/questions/82256/how-do-i-use-sudo-to-redirect-output-to-a-location-i-dont-have-permission-to-wr – Shen Yudong Jan 07 '18 at 05:50
  • sorry for my lack of knowledge...I'm still very confused of how linux works. so......sudo ssh root@ip_A 'bash -s' < root/work/task.sh can only works if I ssh into Server B as root only? a test@serverBIp will not be possible to run a script from Server A? – user3782604 Jan 07 '18 at 05:57
  • @user3782604, it's absolutely possible, you just can't depend on `sudo` to give you access to redirect from files that you wouldn't otherwise be able to open. I filed an answer telling you how to do that using pipes instead of shell redirection... 11 hours ago, now. But if you weren't keeping your file in `root/`, and instead had it somewhere the current user was allowed to read, then you wouldn't *need* the `sudo cat` trick, and could just do a norma redirection instead. – Charles Duffy Jan 07 '18 at 14:38
  • @yudongshen, *nod* -- the only reason I'm not closing it as dupe is that the question there refers to output, the question here is about input, and for someone so unclear on the concepts, the adaptations (like substituting `cat` on the input side instead of `tee` on the output side) may not be obvious. And since I have a dupehammer in the tag, I can't just start a vote and let others weigh in -- if I marked it dupe, it would be insta-close. – Charles Duffy Jan 07 '18 at 14:43