23

I seem to be stuck between an NFS limitation and a Cron limitation.

So I've got root cron (on RHEL5) running a shell script that, among other things, needs to rsync some files over an NFS mount. And the files on the NFS mount are owned by the apache user with mode 700, so only the apache user can run the rsync command -- running as root yields a permission error (NFS being a rare case, apparently, where the root user is not all-powerful?)

When I just want to run the rsync by hand, I can use "sudo -u apache rsync ..." But sudo no workie in cron -- it says "sudo: sorry, you must have a tty to run sudo".

I don't want to run the whole script as apache (i.e. from apache's crontab) because other parts of the script do require root -- it's just that one command that needs to run as apache. And I would really prefer not to change the mode on the files, as that will involve significant changes to other applications.

There's gotta be a way to accomplish "sudo -u apache" from cron??

thanks! rob

rob
  • 337
  • 1
  • 4
  • 9
  • 1
    Might be better served by moving this to SuperUser.com. – Robert Deml Aug 25 '09 at 17:16
  • This is an old question, but still found it pretty high in search ranks, and none of the answers address why root permissions didn't apply to the NFS mount. For anyone else stumbling on this, the reason is root_squash. This blog has a pretty decent explanation for why that option is necessary and usually set by default. http://fullyautolinux.blogspot.com/2015/11/nfs-norootsquash-and-suid-basic-nfs.html – BryKKan Jan 25 '18 at 22:54

5 Answers5

18

su --shell=/bin/bash --session-command="/path/to/command -argument=something" username &

Works for me (CentOS)

Kitty
  • 181
  • 1
  • 2
  • I had to add `export TERM=xterm;` before my command inside the `--session-command` variable. Thus, I ended up with `su --shell=/bin/bash --session-command="export TERM=xterm; /path/to/command -argument=something" username &` – Steve Tauber Jun 26 '12 at 18:09
  • Does not work on Ubuntu (12.04) as the `su` command doesn't support the `--session-command` option. – Lambart Jan 14 '14 at 21:07
  • to clarify the answer, in root's crontab, add the `su --shell=/bin/bash --session-command="/path/to/command -argument=something" username` – NoelProf Feb 19 '14 at 03:29
9

Use su instead of sudo:

su -c "rsync ..." apache
Jukka Matilainen
  • 9,608
  • 1
  • 25
  • 19
  • 1
    Yes! But no. The apache user does not have a regular login shell, so the su -c syntax only returns "This account is currently not available". And altering the apache user's passwd entry for this purpose seems like a bad idea. Hm, I guess this question should be titled "How do I run a command as the apache user from a root cronjob?" And maybe it can't be done without introducing security holes? – rob Aug 27 '09 at 15:46
  • 6
    Does it help if you explicitly specify the shell to be used with the `-s` switch (for example `-s /bin/sh`)? At least on Ubuntu this seems to help if the user in question does not have a valid shell in /etc/passwd. – Jukka Matilainen Aug 27 '09 at 17:20
3

By default on RHEL, sudo isn't allowed for processes without a terminal (tty). That's set in /etc/sudoers.

You can allow tty-less sudo for particular users with these instructions:

https://serverfault.com/questions/111064/sudoers-how-to-disable-requiretty-per-user

Community
  • 1
  • 1
Chris
  • 31
  • 1
2

If you want to permanently enable you to fiddle around as apache:

chsh apache

this allows you to change the shell for the user

Jaap
  • 3,081
  • 2
  • 29
  • 50
1

place it in /etc/crontab and specify apache instead of root in the user field

Robert Foreman
  • 11
  • 1
  • I'm surprised this answer doesn't have any votes or comments. in `man cron`: `Like /etc/crontab, the files in the /etc/cron.d directory are monitored for changes. In general, the system administrator should not use /etc/cron.d/, but use the standard system crontab /etc/crontab.` implies that direct editing of `/etc/crontab` is possible/not discouraged. – Life5ign Feb 10 '23 at 22:15