_initpath() calls sudo... about acme.sh HOT 5 CLOSED

What error do you see ?

from acme.sh.

I see the following in my cron job output:

sudo: no tty present and no askpass program specified

Note: I don't receive such errors when running interactively.

I receive multiple (5) security alerts from sudo:

FQDN : Feb 13 22:40:01 : USER : a password is required ; TTY=unknown ; PWD=/working/path ; USER=root ; COMMAND=/usr/bin/uptime

I followed the flow of a "renew" through the code and see no need for sudo to be used for a renewal. In fact, when I searched for sudo in the code, the only two places I see reference to it is the test in _initpath() and the routine that creates the cron job.

So, I don't understand why sudo is included at all, especially when there is a comment that it's not require

from acme.sh.

just fixed. "sudo" is removed from the crontab.

"Not required to be root" doesn't mean "Not be root in any cases". for example, If you use standalone mode to issue cert, when the crontab tries to re-issue the cert , it must be root to be able to listen to 80 port.

Your machine just seems not quite normal: the root user is required to input password when using sudo.

In most normal cases, the password is not required for root user to use sudo.

Yes, this issue maybe a problem for a normal sudoer, who is required to input password. That's why I removed 'sodu' from crontab.

I think normal sudoers should use other approaches to get rid of the issue above.

from acme.sh.

Is sudo still part of the _initpath() function?

You seem to be assuming that I'm running the cron job as root. That is a false assumption. I'm not running the cron job as root. I'm running the cron job as my unprivileged user.

Many distrobutions may allow root to run sudo, some even with NOPASSWD: However, assuming ~> expecting that to be the case is very dangerous. Many ~> most enterprise environments will abandon the defaults with prejudice. (I know of a top 100 consulting company that just finished a company wide security audit / cleanup effort for thousands of their client companies restricting sudo like I'm describing.)

Even if root is allowed to run sudo -and- do so with NOPASSWD:, there is an EXTREMELY good chance that sudo is configured to 'requiretty'. So, unless someone goes WAY out of their way to generate a bogus tty (something that is not trivial to do), non-interactive jobs (like cron) won't have a tty. Thus they can't satisfy the 'requiretty' parameter.

from acme.sh.

@drscriptt see f9a1b64

from acme.sh.