When running any sudo command from Jenkins I get the following error:
sudo: no tty present and no askpass program specified
I understand that I can solve this by adding a NOPASSWD entry to my /etc/sudoers file which will allow user jenkins to run commands without needing a password. I can add an entry like this:
%jenkins ALL=(ALL)NOPASSWD:/home/vts_share/test/sudotest.sh
...but this leads to the following issue: how to avoid specifying full path in sudoers file?
I can add an entry like this:
%jenkins ALL=NOPASSWD: ALL
...but this allows user jenkins to avoid the password prompt for all commands, which seems a bit unsafe. I'm just curious what my options are here, and if there are any best practices I should consider.
I believe you are looking for this option from
man sudoershere are my recommendations in order of most secure to least secure:
1) don't let jenkins sudo at all. if you're doing package builds, look into
fakeroot. jenkins doesn't need root to build software.2) if you do need jenkins to have root, consider either restricting the sudo abilities with the sudoers
Cmndoptions.3) run jenkins on a disposable VM. if someone roots it, rebuild it and re-evalutate your security choices. I would also recommend running jenkins as an intranet service, only accessible via LAN or VPN. don't forget to include authentication!
if you run a sudo as a jenkins user as part of a script you need two things.
exact copy of the command.. like /bin/chown www-data /var/www
sudo -n exact command
the -n will tell it not to ask for a prompt if its a NOPASSWD.
this fixed me up for running sudo in a script that jenkins calls