Linux – Best practices to avoid Jenkins error: sudo: no tty present and no askpass program specified

JenkinslinuxsudoUbuntu

When running any sudo command from Jenkins I get the following error:

sudo: no tty present and no askpass program specified

I understand that I can solve this by adding a NOPASSWD entry to my /etc/sudoers file which will allow user jenkins to run commands without needing a password. I can add an entry like this:

%jenkins ALL=(ALL)NOPASSWD:/home/vts_share/test/sudotest.sh

…but this leads to the following issue: how to avoid specifying full path in sudoers file?

I can add an entry like this:

%jenkins ALL=NOPASSWD: ALL

…but this allows user jenkins to avoid the password prompt for all commands, which seems a bit unsafe. I'm just curious what my options are here, and if there are any best practices I should consider.

Best Answer

I believe you are looking for this option from man sudoers

   requiretty      If set, sudo will only run when the user is logged in to a real tty.  When this flag     
                   is set, sudo can only be run from a login session and not via other means such as        
                   cron(8) or cgi-bin scripts.  This flag is off by default.

here are my recommendations in order of most secure to least secure:

1) don't let jenkins sudo at all. if you're doing package builds, look into fakeroot. jenkins doesn't need root to build software.

2) if you do need jenkins to have root, consider either restricting the sudo abilities with the sudoers Cmnd options.

3) run jenkins on a disposable VM. if someone roots it, rebuild it and re-evalutate your security choices. I would also recommend running jenkins as an intranet service, only accessible via LAN or VPN. don't forget to include authentication!

Related Topic