215

Is it possible to run a cron job which needs the sudo command?

Like:

 sudo rm somefile
Peter Mortensen
  • 854
sayem siam
  • 2,371

5 Answers5

378

I won't get into how much this is a bad idea; simply put, running sudoin crontab requires your password to be stored somewhere in plaintext.

It's a bad idea.

The following is the preferred method of running administrative tasks through cron. Since you don't really need to write sudo in the crontab, if you are modifying root's crontab.

Use root's crontab

Run the following command: 

sudo crontab -e

This opens up root's crontab. sudo is not necessary to run your command in this context, since it'll be invoked as root anyway.

Therefore, you would simply append the following to root's crontab.

@hourly rm somefile

Now, if you absolutely want to be unsafe and take risks with your password, the following will run your command from your own crontab, and enter your password automatically when prompted by sudo.

Again, this is not recommended.

In your own crontab, write your command like so:

@hourly echo "password" | sudo -S rm somefile

The obvious disadvantage here is that, should anyone ever access your crontab, your password will be readable in plaintext.

You shouldn't do this.

Braiam
  • 69,112
SirCharlo
  • 40,096
53

If you are putting the script from one of the cron directories (/etc/cron.*) then you don't need to use sudo as that is running as root.

If you are using crontab, then you will want to use root's crontab. This will run it as root, and also not need sudo.

sudo crontab -e
tgm4883
  • 8,062
7

Run following command in terminal 

sudo visudo

Added the following line to the end of the file:

vidyadhar  ALL= NOPASSWD: /bin/rm

In the above example vidyadhar is the username and it will not ask for password if you are running rm command through vidyadhar.

Vidyadhar
  • 1,460
4

Sometimes it is necessary for root to execute a command as a specific user of the system. For example, with borgbackup, it is common to have root check the warehouse using the borg user. if the task must be executed once a day, we will use the /etc/cron.daily folder, like that:

# cat /etc/cron.daily/borgbackup_check

#!/bin/bash
sudo -u borg borg check /borgbackup >> /var/log/borgbackup.log

where "-u borg" is used take the identity of the borg user, "borg" is the borg command and "/borgbackup" is the wharehouse.

MaxiReglisse
  • 276
0

Nobody mentioned having an executable script with setuid bit? I can see where this might be a security vulnerability, too (don't cut yourself, sharp knives in this drawer, keep permissions tight), but feels less dicey than working in the root crontab. For instance, I'd like to defrag/fstrim nightly or weekly even when I am not present.

Another alternative is to leave a script running in a loop, sleeping until the time is right, that you launch with sudo.

David G. Pickett
  • 209