Execute build task in Hudson with root privilages

Question

I have a build script which executes apt-get and therefore requires root privileges. What is the best way to run this script in Hudson?

Currently the only solution I have found that works is to add an entry to the sudoers file for the user hudson like so:

hudson  ALL=(ALL) NOPASSWD:ALL

However, although my build script now runs without error in Hudson, I am not entirely comfortable with this solution. Is there a better way?

score 6 · Accepted Answer · answered May 13 '10 at 17:15

i go one further, with locking down apt-get i lock down what parameters you can use, because we don't want someone installing or removing something.

%admins         ALL =  NOPASSWD:                   \
                    /usr/bin/apt-get update,        \
                    /usr/bin/apt-get dist-upgrade,  \
                    /usr/bin/apt-get upgrade

which gives the group admins permissions to run apt-get update/dist-upgrade/upgrade without providing a password.

+1 - I didn't realize you could do that ! – gareth_bowles May 13 '10 at 19:01 — gareth_bowles, May 13 '10 at 19:01

score 1 · Answer 2 · edited May 13 '10 at 17:41

1

You could lock down the commands that the hudson user is allowed to execute as root; change the line in your sudoers file to:

hudson   ALL=/usr/bin/apt-get  NOPASSWD:ALL

(Check the path to your apt-get binary - I'm running on Fedora so don't have that command)

edited May 13 '10 at 17:41

Kamil Kisiel

11,946
7
46
68

answered May 13 '10 at 16:56

gareth_bowles

8,867
9
33
42

Execute build task in Hudson with root privilages

2 Answers2