Home / server / Questions / 141439
Accepted
jensendarren
Asked: 2010-05-14 02:48:58 +0800 CST

Execute build task in Hudson with root privilages

  • 772

I have a build script which executes apt-get and therefore requires root privileges. What is the best way to run this script in Hudson?

Currently the only solution I have found that works is to add an entry to the sudoers file for the user hudson like so: 

hudson  ALL=(ALL) NOPASSWD:ALL

However, although my build script now runs without error in Hudson, I am not entirely comfortable with this solution. Is there a better way?

security hudson sudo continuous-integration

2 Answers

  1. Best Answer

    i go one further, with locking down apt-get i lock down what parameters you can use, because we don't want someone installing or removing something.

    %admins         ALL =  NOPASSWD:                   \
                    /usr/bin/apt-get update,        \
                    /usr/bin/apt-get dist-upgrade,  \
                    /usr/bin/apt-get upgrade

    which gives the group admins permissions to run apt-get update/dist-upgrade/upgrade without providing a password.

    • 6

  2. You could lock down the commands that the hudson user is allowed to execute as root; change the line in your sudoers file to:

    hudson   ALL=/usr/bin/apt-get  NOPASSWD:ALL

    (Check the path to your apt-get binary - I'm running on Fedora so don't have that command)

    • 1