3

Here's my simple runme.sh:

#!/bin/bash

/bin/echo 'CbEYKFKt' | /usr/bin/sudo -S /bin/su -c "whoami;/etc/init.d/iptables stop"

In which, 'CbEYKFKt' is the password for current user: samX, who has the root privilege (have appended "samX ALL=(ALL:ALL) ALL" in visudo). I intend to stop iptables at a specific time in crontab, but nothing happened to iptables service when the time is up. Nevertheless, if I execute bash runme.sh, it will works fine.

My crontab is as follows:

58 16 * * * /bin/bash /home/data/samX/runme.sh 2>&1 > /home/data/samX/log_cron

Nothing will be printed to log_cron file. Is there anything wrong with my code? Thanks in advance.

P.S. A error is printed after I moved 2>&1 to the end:

sudo: sorry, you must have a tty to run sudo

Does anyone know what's that mean?

Judking
  • 6,111
  • 11
  • 55
  • 84
  • The order matters: Try `58 16 * * * /bin/bash /home/data/samX/runme.sh > /home/data/samX/log_cron 2>&1` – martin Apr 29 '15 at 09:49
  • As I have told you in your [other question](http://stackoverflow.com/questions/29938453/how-can-i-apply-password-to-sudo-in-one-line-command-and-execute-su-root), you should fix your sudoers, but that's just for other readers who want to copy the saved password. – martin Apr 29 '15 at 09:49
  • Why the order will matter? Link to the related official explanation is appreciated :] @martin – Judking Apr 29 '15 at 10:34
  • 1
    I'm just testing this scenario, once solved, I'll add NOPASSWORD to visudo. Thanks for mention again! @martin – Judking Apr 29 '15 at 10:35
  • See also [here](http://stackoverflow.com/questions/637827/redirect-stderr-and-stdout-in-a-bash-script) but it has something to do with when file descriptors are opened and so on. – martin Apr 29 '15 at 10:55
  • Just googling the new error returns [that](http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password) – martin Apr 29 '15 at 10:56
  • 3
    Why won't you use root's contab? – pacholik Apr 29 '15 at 10:59

2 Answers2

1

Authentification utilities like sudo are generally reading the password from the controlling terminal (e.g. thru /dev/tty, see tty(4)), not from standard input. (But you could pass -S to sudo to ask it to read password on stdin)

You could use expect (which is able to deal with terminals), but you could simply configure your /etc/sudoers to disable password checking.

For example, you could have a line like

%sudo   ALL=NOPASSWD:  ALL

in your /etc/sudoers file. It would allow any member of the sudo group to use sudo without typing any password.

This of course opens a security hole in your computer. Do that at your own risk.

At last, you could carefully wrap your script in a setuid executable (write carefully such a program in C, then chmod u+s the executable).

Basile Starynkevitch
  • 223,805
  • 18
  • 296
  • 547
0

Instead of putting all commands in one line, you can write codes normally and break it into several lines:

#!/bin/bash
echo "CbEYKFKt" | sudo -S echo && sudo -s <<EOF
#put your code here
#All codes will be executed as sudo
EOF
Jahid
  • 21,542
  • 10
  • 90
  • 108
  • yes, first one is to take the password from echo, second one is for EOF, Note: `-S` and `-s` are different – Jahid Apr 29 '15 at 10:40
  • I have edited my answer, the previous one was wrong. This one will work.. @BasileStarynkevitch – Jahid Apr 29 '15 at 11:12
  • Sorry, it doesn't survive from the latest error regarding `tty` which has been updated in my question. Please have a look, thanks. – Judking Apr 29 '15 at 11:16
  • "That's probably because your `/etc/sudoers` file (or any file it includes) has: `Defaults requiretty`" from: http://unix.stackexchange.com/questions/122616/why-do-i-need-a-tty-to-run-sudo-if-i-can-sudo-without-a-password – Jahid Apr 29 '15 at 11:55