On 25/01/2023 21:52, Greg Wooledge wrote:
On Wed, Jan 25, 2023 at 03:36:33PM +0100, Yassine Chaouche wrote:
runas_wwwdata ()
{
echo su - www-data -s /bin/bash -c "$*";
su - www-data -s /bin/bash -c "$*"
}
...
su(1) is pretty much the WORST possible choice for this, as it forces
you to launch a shell, instead of just executing a command directly.
...
unicorn:~# runas() { local who=$1; shift; su - "$who" -s /bin/bash -c "$*"; }
unicorn:~# runas www-data ls -ld /tmp/'file with spaces'
su: warning: cannot change directory to /var/www: No such file or directory
Greg, I agree with your warnings. Just out of curiosity, is there a
reason why the following variant may still be unsafe?
runas() { local who=$1; shift; su --login "$who" --shell=/bin/bash
--command='"$0" "$@"' -- "$@"; }
