Hello Everyone,
I want to execute multiple OS commands out of my EG Session, using the OS root-User. Having found this wonderful Filename pipe approach, I generated this code:
    %LET l_rm_cmd = %nrbquote(%str(sudo su -; whoami ; rm -f /home/enp2sas/mh.w.jum0080.01 /home/enp2sas/ok.jum0080.01;echo STATUS=$?;));
    %PUT &=l_rm_cmd;
    filename oscmd pipe "&l_rm_cmd ";
    %let SYsrc=0;
    %put INFO: &=SYSRC;
    data _null_ ;
       infile oscmd;
       input @;
       put _infile_;
       if _infile_ eq: 'STATUS' then do;
          input status=;
          putlog 'INFO: ' status=;
          call symputx('SYSRC',status);
          end;
       run;
    %put INFO: &=SYSRC;
This is the corresponding Log:
NOTE: The infile OSCMD is:
      Pipe command="sudo su -; whoami ; rm -f /home/enp2sas/mh.w.jum0080.01 /home/enp2sas/ok.jum0080.01;echo STATUS=$?; "
[YOU HAVE NEW MAIL]
sas
rm: 0653-609 Cannot remove /home/enp2sas/mh.w.jum0080.01.
The file access permissions do not allow the specified action.
rm: 0653-609 Cannot remove /home/enp2sas/ok.jum0080.01.
The file access permissions do not allow the specified action.
STATUS=2
INFO: status=2
In the "background" my EG Userprofile is "mapped" to the OS user "sas", therefore, the Log of this code shows me as a result of the OS "whoami" command that the OS commands are executed with the User "sas". I was expecting "root" however, as my first command is "sudo su -".
Are these chained commands executed in multiple (KORN) shells, so that the second OS command (i.e. "whoami") is being executed in a different shell, than the "sudo su -" command in front of it?
The reason, why I need to change, is exactly the two error message of the "rm" command, as the "sas" User does not have the neccessary privileges to remove the two files.
What confuses me even more is, that the execution of these commands directly in a shell with the User "sas" is working fine, without any errors.
Can someone explain to me what the difference is between executing OS commands from within EG versus directly in a shell?
Why is it not possible to sudo su to root from within a EG session?
I see what happens.
sudo su -
starts a new shell which would wait for input, but since the input stream is not present, it immediately terminates, which also terminates the sudo. After that, the original shell takes over and executes the following commands.
To do a series of commands as another user, you need to hand those over as a single string like shown here: https://www.cyberciti.biz/faq/how-to-run-multiple-commands-in-sudo-under-linux-or-unix/
Your sudo setup is EXTREMELY DANGEROUS, and in any safety-conscious organisation this would get you fired. Not just fired from, but fired at.
Not only do you effectively make sas a root user, but on top (since this seems to be a shared userid), anybody can do anything to your server.
Always create a specific script for a specific task, and let the user elevate his permissions for explicitly that script only. Otherwise someone will run
sudo -u root -c "rm -rf /*"
from SAS, and you can kiss your server goodbye. And as a consequence, your professional behind also.
Wht does the entry for sas look like in the /etc/sudoers file?
@Kurt_Bremser : sas ALL=(ALL) NOPASSWD:ALL
I see what happens.
sudo su -
starts a new shell which would wait for input, but since the input stream is not present, it immediately terminates, which also terminates the sudo. After that, the original shell takes over and executes the following commands.
To do a series of commands as another user, you need to hand those over as a single string like shown here: https://www.cyberciti.biz/faq/how-to-run-multiple-commands-in-sudo-under-linux-or-unix/
Your sudo setup is EXTREMELY DANGEROUS, and in any safety-conscious organisation this would get you fired. Not just fired from, but fired at.
Not only do you effectively make sas a root user, but on top (since this seems to be a shared userid), anybody can do anything to your server.
Always create a specific script for a specific task, and let the user elevate his permissions for explicitly that script only. Otherwise someone will run
sudo -u root -c "rm -rf /*"
from SAS, and you can kiss your server goodbye. And as a consequence, your professional behind also.
Kurt, I really like the way you put terrible information into nicely wrapped sentences!
I will inform our server admin of this setup, so he can develop a solution, in order for him not to get his "professional behind" kissed goodbye 🙂
Purely technical speaking, though, it works fine 🙂 Thank you for the link!
It's finally time to hack! Remember to visit the SAS Hacker's Hub regularly for news and updates.
Learn how use the CAT functions in SAS to join values from multiple variables into a single value.
Find more tutorials on the SAS Users YouTube channel.
Ready to level-up your skills? Choose your own adventure.
