When running any sudo command from Jenkins I get the following error:
sudo: no tty present and no askpass program specified
I understand that I can solve this by adding a NOPASSWD
entry to my /etc/sudoers
file which will allow user jenkins to run commands without needing a password. I can add an entry like this:
%jenkins ALL=(ALL)NOPASSWD:/home/vts_share/test/sudotest.sh
…but this leads to the following issue: how to avoid specifying full path in sudoers file?
I can add an entry like this:
%jenkins ALL=NOPASSWD: ALL
…but this allows user jenkins to avoid the password prompt for all commands, which seems a bit unsafe. I'm just curious what my options are here, and if there are any best practices I should consider.
Best Answer
I believe you are looking for this option from
man sudoers
here are my recommendations in order of most secure to least secure:
1) don't let jenkins sudo at all. if you're doing package builds, look into
fakeroot
. jenkins doesn't need root to build software.2) if you do need jenkins to have root, consider either restricting the sudo abilities with the sudoers
Cmnd
options.3) run jenkins on a disposable VM. if someone roots it, rebuild it and re-evalutate your security choices. I would also recommend running jenkins as an intranet service, only accessible via LAN or VPN. don't forget to include authentication!