Output redirection from commands executed by suexec is performed in the shell of the "from" user. If you need to use > or >> to overwrite or append to files, you need to use the tee command instead. To emulate overwriting the file (i.e. >), use /bin/tee file-name. To emulate appending to the file (i.e. >>) use /bin/tee -a file-name.


For instance, to append a comment to a root-owned file with "echo", use the following steps.

Set up the Access Route to allow /bin/tee as root:

i.e. SUEXEC:*->root@host%/bin/tee -a /path/root-file

You do not need to create an Access Route for /bin/echo.

Now the user can execute to following to append the comment to the file:

echo "# This is a comment" | /opt/boksm/bin/suexec -u root /bin/tee -a /path/root-file

In this case, the originating command does not require root privilege, so it is not run with suexec. If the originating command also requires root privilege, then you would need to have an additional Access Route and execute suexec a second time. With suexec sessions in place, you would only need to authenticate the first time.

Please note that granting privilege to the tee command allows the user to replace or overwrite any file on the system. For this reason, it is suggested you only grant this privilege in a limited manner and also always specify which files can be changed using command argument restrictions.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018