5

we are running hudson to monitor a couple of shell jobs. The problem is that hudson runs all jobs as user "hudson".

That's ok, except for some special commands that require super user rights, like "chown" and "apachectl" We have the following inour sudoers file: (visudo)

Defaults:hudson !requiretty
%hudson ALL = NOPASSWD: /usr/sbin/apachectl, /bin/chown

But this gives us the following error when we want to call apachectl -k graceful in our shell script:

sudo: no tty present and no askpass program specified

Does anyone have any idea on how we can solve this?

solsol
  • 1,121
  • 8
  • 21
  • 31
  • 2
    Are you certain that your script is hitting /usr/sbin/apachectl and not apachectl somewhere else in PATH? Does everything work if you run the command line manually (e.g., become the 'hudson' user, and the try 'sudo apachectl ...')? What is sudo logging to syslog? – larsks Dec 10 '10 at 16:25
  • 1
    hi larsks! yes, manually everything is working. I'm not sure about apachectl path. I did a locate to find apachectl and loaded that outcome in the sudoers file. How do I know in what PATH apache ctl is running? I'm also thinking it has something to do with the -k parameters wich has to be allowed in the sudoers file? – solsol Dec 10 '10 at 17:09
  • 1
    Your sudoers syntax is fine. When you specify a command with no parameters, it allows all parameters. You know which apachectl is running because, in your script, you call it with an explicit path (e.g., by making sure you type "/usr/sbin/apachectl" instead of just "apachectl"). Are there other entries in the sudoers file that could be conflicting with this one? What happens if you comment everything else out? – larsks Dec 10 '10 at 17:15
  • Ok man, you rock! We didn't call /user/sbin/apachectl, but only apachectl in the script! This solved the issue. Please reply to this thread so I can mark your answer as the correct one? – solsol Dec 10 '10 at 17:33
  • You have to say @larsks to make sure your message is seen by the intended recipient. – Dennis Williamson Dec 11 '10 at 00:58
  • note that giving someone access to chown arbitrary files essentially gives them access to root to do anything at all. – stew May 24 '12 at 15:04

2 Answers2

2

[Moved from the comment above]

Your script may be finding the apachectl binary somewhere else in $PATH other than /usr/sbin/apachectl. This would fail to match your existing sudoers entry. If you call the command with an explicit path (i.e., use /usr/sbin/apachectl in your script, rather than just apachectl) you can make sure you're using the right one. This is a good practice in general.

larsks
  • 41,276
  • 13
  • 117
  • 170
0

You should use the full path (as per comment).

E.g. /usr/sbin/apachectl not just apachectl in the script!

This should solve the issue.

kenorb
  • 5,943
  • 1
  • 44
  • 53