How to Sudo as Another User Over SSHFS Mount: A Practical Guide for Remote Privilege Escalation


2 views

When working with SSHFS mounts, we often encounter permission boundaries that don't exist in local filesystems. Consider this common scenario:

$ sshfs charlie@bravo:/home/charlie ~/foo
$ cd ~/foo
$ sudo -u delta ls /home/delta  # This fails!

The fundamental issue is that SSHFS operates at the filesystem layer, while sudo operates at the process/authentication layer. Your local sudo has no knowledge of remote users on bravo.

Here are three practical solutions, each with different trade-offs:

1. Nested SSH Session with Sudo

The most straightforward method is to chain SSH commands:

$ ssh -t charlie@bravo "sudo -u delta -i"

The -t flag allocates a pseudo-terminal, which is often required for interactive sudo sessions.

2. Proxy Command with SSH Config

For frequent access, configure your ~/.ssh/config:

Host bravo-delta
    HostName bravo
    User charlie
    RequestTTY yes
    RemoteCommand sudo -u delta -i

Then simply run:

$ ssh bravo-delta

3. FUSE Workaround (Advanced)

For filesystem-level access, you can create a secondary mount point:

$ sshfs -o proxycommand="ssh -W %h:%p charlie@bravo" delta@bravo:/home/delta ~/delta_mount

This requires:

  • SSH key authentication setup
  • Sudoers configuration allowing passwordless sudo for charlie
  • Proper /etc/fstab entries on the remote host

When implementing these solutions:

  • Always use SSH keys instead of passwords
  • Configure sudoers with minimal privileges (charlie ALL=(delta) NOPASSWD: /bin/bash)
  • Consider SSH certificate authorities for enterprise environments
  • Use ssh -v for debugging connection issues

Here's a complete example for scripting scenarios:

#!/bin/bash

REMOTE_USER="charlie"
TARGET_USER="delta"
HOST="bravo"
COMMAND="ls -la /home/delta"

ssh -t ${REMOTE_USER}@${HOST} <<EOF
    sudo -u ${TARGET_USER} bash -c '${COMMAND}'
    exit
EOF

This script:

  1. Maintains a clean audit trail
  2. Preserves your local environment
  3. Handles complex commands safely

When working with remote systems, we often encounter permission-related challenges. Here's a common situation:

$ sshfs charlie@bravo:/home/charlie ~/foo

You've successfully mounted a remote directory via SSHFS, but now need to execute commands with elevated privileges for another user (delta) on the remote system.

The main obstacle is that SSHFS operates under the authenticated user's permissions (charlie in this case). Directly executing sudo commands through the mounted filesystem isn't straightforward because:

  • SSHFS doesn't natively support privilege escalation
  • The sudo prompt can't be properly forwarded through the FUSE layer
  • Interactive sessions behave differently over filesystem mounts

Here are several approaches to achieve sudo execution over SSHFS:

Method 1: SSH Wrapper Script

Create a helper script on the remote machine that handles the privilege escalation:

#!/bin/bash
# save as /usr/local/bin/sudo_wrapper on bravo
if [ "$1" = "delta" ]; then
    sudo -u delta "$2"
else
    sudo "$@"
fi

Then execute through SSHFS:

$ ssh charlie@bravo sudo_wrapper delta "command_to_run"

Method 2: Direct SSH Command

For one-off commands, bypass SSHFS entirely:

$ ssh -t charlie@bravo "sudo -u delta bash -c 'cd /home/delta && your_command'"

The -t flag ensures proper tty allocation for sudo prompts.

Method 3: Persistent Sudo Session

If you need sustained access, consider:

$ ssh charlie@bravo
$ sudo -u delta -i
# Now in a persistent delta shell

Then in another terminal, mount with SSHFS and work with the files through the active session.

For more complex scenarios, you might need a custom FUSE implementation. Here's a basic Python example using fusepy:

from fuse import FUSE, Operations
import subprocess

class SudoFS(Operations):
    def __init__(self, remote_user, remote_host):
        self.remote = f"{remote_user}@{remote_host}"
    
    def run_remote(self, cmd, user=None):
        if user:
            cmd = f"sudo -u {user} {cmd}"
        return subprocess.check_output(f"ssh {self.remote} '{cmd}'", shell=True)
    
    # Implement required FUSE methods here...

if __name__ == "__main__":
    FUSE(SudoFS('charlie', 'bravo'), '~/foo', foreground=True)

When implementing these solutions:

  • Always use SSH keys instead of passwords
  • Configure sudoers carefully to limit privileges
  • Consider using sudo -s instead of sudo -i when appropriate
  • Audit remote commands in your shell history

If these methods don't suit your needs, consider:

  • Using NFS with proper permissions instead of SSHFS
  • Setting up a dedicated SFTP chroot for delta
  • Implementing a restricted API endpoint for the needed operations