https://github.com/xtaran/sshudo
Drop-in sudo and pkexec replacement doing ssh root@localhost passing parameters like empty strings properly
https://github.com/xtaran/sshudo
nosetuid nosuid pkexec security ssh sudo sysadmin
Last synced: 4 months ago
JSON representation
Drop-in sudo and pkexec replacement doing ssh root@localhost passing parameters like empty strings properly
- Host: GitHub
- URL: https://github.com/xtaran/sshudo
- Owner: xtaran
- License: other
- Created: 2021-01-29T02:28:43.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2025-07-01T12:49:42.000Z (12 months ago)
- Last Synced: 2025-10-04T21:48:21.690Z (9 months ago)
- Topics: nosetuid, nosuid, pkexec, security, ssh, sudo, sysadmin
- Language: Roff
- Homepage:
- Size: 11.7 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: Changelog.md
- License: LICENSE.md
Awesome Lists containing this project
README
sshudo
======
Synopsis
--------
```sh
PBUILDERROOTCMD=sshudo pbuilder --build --debbuildopts "" ../somedebianpackage_123-4.dsc
alias sudo=sshudo
alias pkexec=sshudo
sshudo ln -vis sshudo /usr/bin/sudo
sshudo ln -vis sshudo /usr/bin/pkexec
```
Description
-----------
sshudo is an SSH based minimal drop-in replacement for very basic
`sudo` and `pkexec` usage with commands which still contain parameters
with spaces or empty parameters.
Options
-------
_None so far._
Limitations
-----------
* Won't work properly if parameters contain one or more single quotes.
* Might make your brain hurt if you try to use backslash escaping.
* No SSH option passing. Use `~/.ssh/config` for that.
* Only works for gaining root privileges.
Motivation
----------
[`sudo`](https://www.sudo.ws/) is notoriously hazardous to system
security, regularily having security issues like
e.g. [CVE-2021-3156](https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit),
[CVE-2025-32462](https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host)
or
[CVE-2025-32463](https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot).
(And PolicyKit and its `pkexec` isn't much better either.)
So I wanted to get rid of it once and forever. Didn't seem that hard
as I use `ssh root@localhost` anyway for most purposes other people
would think about using `sudo` for.
But unfortunately using `pdebuild` from the [pbuilder
suite](https://pbuilder-team.pages.debian.net/pbuilder/) with
`PBUILDERROOTCMD="ssh root@localhost"` didn't work, because `pdebuild`
unconditionally passes an empty string as one of the parameters to the
command in `$PBUILDERROOTCMD` and this is lost after the command has
been passed as parameters to SSH. So I needed a wrapper which does
proper escaping for this case. And that's how `sshudo` came into
existence.
License
-------
This program is free software: you can redistribute it and/or modify
it under the terms of the [DO WHAT THE FUCK YOU WANT TO PUBLIC
LICENSE](http://www.wtfpl.net/about/) (WTFPL), either version 2 of the
License, or (at your option) any later version.
### Full Text of the License
#### DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
##### TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.