Is it possible to run a cron job which needs the sudo command?
Like:
sudo rm somefile
Asked
Active
Viewed 4.1e+01k times
207
Peter Mortensen
- 884
sayem siam
- 2,291
-
Welcome Sayem Siam, Have a look at the answers to this question http://askubuntu.com/questions/2368/how-do-i-setup-cron-job. as I think your question has been asked before here on AU – stephenmyall Aug 09 '12 at 17:56
-
1I am trying to execute sudo which needs password but how can i giv password from cron file – sayem siam Aug 09 '12 at 17:59
-
3@sayemsiam you don't need to put sudo, just edit the root crontab. – Braiam Dec 06 '13 at 12:21
-
See this answer. – Jan 21 '18 at 08:31
5 Answers
368
I won't get into how much this is a bad idea; simply put, running sudoin crontab requires your password to be stored somewhere in plaintext.
It's a bad idea.
The following is the preferred method of running administrative tasks through cron. Since you don't really need to write sudo in the crontab, if you are modifying root's crontab.
Use root's crontab
Run the following command:
sudo crontab -e
This opens up root's crontab. sudo is not necessary to run your command in this context, since it'll be invoked as root anyway.
Therefore, you would simply append the following to root's crontab.
@hourly rm somefile
Now, if you absolutely want to be unsafe and take risks with your password, the following will run your command from your own crontab, and enter your password automatically when prompted by sudo.
Again, this is not recommended.
In your own crontab, write your command like so:
@hourly echo "password" | sudo -S rm somefile
The obvious disadvantage here is that, should anyone ever access your crontab, your password will be readable in plaintext.
You shouldn't do this.
-
2Glad it works! Just be wary of any security holes you leave behind.. They might come back later to haunt you. – SirCharlo Aug 09 '12 at 18:15
-
2@SirCharlo Why use
root's user crontab instead of the systemwide crontab/etc/crontab? – Eliah Kagan Aug 10 '12 at 03:47 -
2
-
4This answer misses the mark because it glosses over the subtleties available in your
sudoersfile, like sudo groups without a password requirement. – brent Jan 09 '18 at 21:13 -
-
Root's crontab is the best solution, it's explicitly for commands that require sudo so I don't see why you would even want to put your password in clear text whatsoever. – Lorenzo Oct 26 '21 at 10:45
-
"You should NOT do it" | -> Everyone search for this askubuntu post on how to do it – J. Spark Aug 28 '22 at 03:36
50
If you are putting the script from one of the cron directories (/etc/cron.*) then you don't need to use sudo as that is running as root.
If you are using crontab, then you will want to use root's crontab. This will run it as root, and also not need sudo.
sudo crontab -e
tgm4883
- 7,912
-
1I would also place the command in /etc/cron.hourly/something. That's what these directories are for. – John S Gruber Aug 23 '12 at 15:37
-
4No. You could put it in /etc/cron.SOMETHING/SCRIPT, but I wouldn't do both. Both would give roughly the same function, although using crontab you would have a bit more power over how often/when things run. – tgm4883 Aug 23 '12 at 17:40
-
2I should have made clear that I meant that as an alternative. Thanks. – John S Gruber Aug 23 '12 at 17:43
6
Run following command in terminal
sudo visudo
Added the following line to the end of the file:
vidyadhar ALL= NOPASSWD: /bin/rm
In the above example vidyadhar is the username and it will not ask for password if you are running rm command through vidyadhar.
Vidyadhar
- 1,450
-
25Hmm.. Then any malicious command, like
sudo rm -rf 'slash'(don't run that command), run from that user, would require no password.. I don't know, it feels unsafe, no? – SirCharlo Aug 09 '12 at 18:09 -
Ya i know it. Your approach is good. But I am using above approach for giving rights to other user to stop/start certain services. – Vidyadhar Aug 09 '12 at 18:13
-
34
-
4Maybe
vidyadhar ALL= NOPASSWD: /bin/rm somefilewould be more secure. – Wernfried Domscheit Jul 28 '16 at 08:28 -
2This is a terrible idea. You gave blanket sudo permissions to rm. Instead, give sudo permissions to a script your comand, including rm or others in that script, make it executable, then give sudo permissions to that script.
<username> ALL=(ALL) NOPASSWD: /home/<username>/bin/<script>, which would be much safer. – R J Jul 01 '18 at 11:28 -
2This is not "an extremely bad idea", please stop with the useless hyperbole. Obviously giving a user the same amount of power as root will make it just as dangerous as root. This is perfect for a dedicated backups user, or other user account whos access is as tightly controlled as root. – Oct 23 '18 at 15:44
3
Sometimes it is necessary for root to execute a command as a specific user of the system. For example, with borgbackup, it is common to have root check the warehouse using the borg user. if the task must be executed once a day, we will use the /etc/cron.daily folder, like that:
# cat /etc/cron.daily/borgbackup_check
#!/bin/bash
sudo -u borg borg check /borgbackup >> /var/log/borgbackup.log
where "-u borg" is used take the identity of the borg user, "borg" is the borg command and "/borgbackup" is the wharehouse.
MaxiReglisse
- 258
0
Nobody mentioned having an executable script with setuid bit? I can see where this might be a security vulnerability, too (don't cut yourself, sharp knives in this drawer, keep permissions tight), but feels less dicey than working in the root crontab. For instance, I'd like to defrag/fstrim nightly or weekly even when I am not present.
Another alternative is to leave a script running in a loop, sleeping until the time is right, that you launch with sudo.
David G. Pickett
- 179