Crontab Sudo Shenanigans

OK, here is a situation I haven’t seen in a while and it tripped me.  There I admitted it!

We have an application that requires a restart of Apache everyday (that is a different discussion).  Regardless I gave them sudo access so they could script the job to run with their process.  Obviously I thought nothing more of it, problem solved, more pressing things to do.  It worked like a charm until they put their script into cron.  They received the error:

sudo: sorry, you must have a tty to run sudo

I didn’t want to throw the baby out with the bathwater and enable tty for all of cron-dom, and I like command-line solutions over config files (less to maintain/remember).  So I tried this variation:

su --session-command="/usr/bin/sudo /sbin/service httpd restart" user_name

Slick huh?  Well of course it didn’t work because sudo is in control, pesky security controls keep me on the straight and narrow. This led me to one option, enable tty for the user (not everyone).  The solution for that is:

Defaults    requiretty
Defaults:%group_name !requiretty
Defaults:user_name !requiretty

In case that isn’t clear enough.  The first line requires TTY for all users and groups not expressly excluded from that requirement.  The second line exempts the group from the requirement and the the third line specifically exempts the user from the requirement.  The inclusion of the User_name and Group_name is redundant however this saves me revisiting the configuration file if we expand the group.

This ends the brain dump…