I've been bashing my head on the desk for 2 days trying to get this to work, but I've had no luck. I'll try to be as clear as possible in my explanation without dragging out the details. I'm trying to set up a cron job for user "john" which runs a script. This script initiates an ssh connection to another box (user : john), and then does a series of commands which require privilege escalation. For the purpose of using keys and avoiding passwordless root traversal across ssh, I cannot do this with the root cron.
Example script and cron job.
14 * * * * sh /home/john/localscript.sh
example code from localscript.sh
#!/bin/sh
ssh -t john@remoteip "sudo mv /home/john/file.txt /data/pcap/"
Now I have added the entire path to all of the commands, and that fixed the rest of my script (which is actually quite extensive), but I simply cannot get cron to work with sudo on the remote machine. Now for the same thing you always hear...If I run this script manually, everything works great. When I run it as a cron job, it does everything fine EXCEPT the line with the sudo. Any help is very much appreciated.
[/SIZE]
Found this, don't know if it helps...
sudo and cron Bruno�s blog
I know you've said you added the absolute path... but in the command above, I don't see an absolute path to sudo...
Oh sorry, I edited out the paths on my post to more easily present the coding. I haven't tried the solution on that page yet because it requires modifying REQUIRESTTY, which I get around by using the -t option in ssh. I have security worries with commenting out REQUIRESTTY, but if no other options come up, I suppose that is what will have to happen.
---------- Post updated at 01:40 PM ---------- Previous update was at 10:48 AM ----------
I did try the individual version of what was described about, but now I have satisfied my test script, but I still have issues with my "real" script. Just in case, I'll post the temporary solution for now, which was just to add in a user based requiretty in /etc/sudoers
Default:john !requiretty
I'll post my supersolution, once I come across it.
A different kind of solution might be to use a special group. That is,
- make a new group with groupadd
- set all the files that must be accessed to that group with chgrp
- add the user to that supplementary group with usermod -a -G
- set the group permissions on all those files as required with chmod.
Then don't use any privilege escalation at all.
check john's mail in unix id, do you get error message? You should see some error messages, it will help you to troubleshooting this issue.
And do you try kitykity's suggestion?
ssh -t john@remoteip "/usr/bin/sudo mv /home/john/file.txt /data/pcap/"
Everything is working fine and I appreciate all of the help. To run my script, I needed to change two things. I edited the /etc/sudoers file to include the following;
Defaults:john !requiretty
The next step was to remove the ssh -t option to go with the first step. While this didn't cure everything, a small rewrite of some other additional scripts did fix the rest. This fixed the real problem though. Thanks for the help people! 