# sudo command problem



## sabh (Apr 6, 2010)

I have a user with limited access rights

Right now,I am issuing comands like this:
sudo sh -c "diff /tmp/file1 /tmp/file2"

This makes my user to fire commands with higher privilege. Is there any workaround by which I can do the same by using something like:

sudo "diff /tmp/file1 /tmp/file2"


thanks in advance


----------



## artov (Apr 6, 2010)

I do not get your problem, but why not use

sudo diff /tmp/file1 /tmp/file2 ?

Or if there is some special characters on the file names,

sudo diff "/tmp/file1" "/tmp/file2"


----------



## sabh (Apr 6, 2010)

thanks for the reply.
passing the diff command without the quotes helped me.

But when should I use "sh -c" with sudo command? I mean what is the use of adding that? Someone had already added that in the code.

If I remove it, can it hav side effects in any case?


----------



## artov (Apr 7, 2010)

Difference is, in my example sudo runs diff program, but in your example it runs sh program. sh is command shell; for example when you run Terminal.app, you are giving the commands to the shell (normally bash; sh is a little simple version of it). -c tells the shell that it will not read the commands from the terminal but after the -c sign; in this case "diff /tmp/file1 /tmp/file2".

So why to run shell in sudo, if the shell starts the command? Sudo's parameter is run by root, but arguments to sudo are evaluated by your shell (or wherever the sudo is run). Assume that instead of /tmp, the files are at directory /tmp/foo, which is own by root. Compare following commands



```
$sudo diff /tmp/foo/file[12]
```


```
$sudo sh -c "diff /tmp/foo/file[12]"
```

The first gives error, but the second did not. The filename wildcard [12] could not be expanded on the first case, since your shell has no access to the /tmp/foo directory. In second case, the sudoed sh did the expansion as root.


----------



## sabh (Apr 7, 2010)

artov,

in the first command i.e.

$sudo diff /tmp/foo/file[12]


if I give the logged in user the access rights to the /tmp/foo directory, will this command work?

thanks


----------



## artov (Apr 8, 2010)

Yes, but this means that you are setting the access with two level: first level is the access rights on the directory to see the files and the second is to read the files (diff reads the files) via sudo. It would be easier to use only sudo, but there might be cases where two levels is ok.


----------



## sabh (Apr 8, 2010)

Thanks for your reply. I have got a complete answer to my query.
thanks once again.


----------

