Execute build task in Hudson with root privilages

security sudo hudson continuous-integration

I have a build script which executes apt-get and therefore requires root privileges. What is the best way to run this script in Hudson?

Currently the only solution I have found that works is to add an entry to the sudoers file for the user hudson like so: 

hudson  ALL=(ALL) NOPASSWD:ALL

However, although my build script now runs without error in Hudson, I am not entirely comfortable with this solution. Is there a better way?


i go one further, with locking down apt-get i lock down what parameters you can use, because we don't want someone installing or removing something.

%admins         ALL =  NOPASSWD:                   \
                    /usr/bin/apt-get update,        \
                    /usr/bin/apt-get dist-upgrade,  \
                    /usr/bin/apt-get upgrade

which gives the group admins permissions to run apt-get update/dist-upgrade/upgrade without providing a password.


You could lock down the commands that the hudson user is allowed to execute as root; change the line in your sudoers file to:

hudson   ALL=/usr/bin/apt-get  NOPASSWD:ALL

(Check the path to your apt-get binary - I'm running on Fedora so don't have that command)

Related

Importing from CSV and sorting by Date
Understanding the Mounting of a Filesystem
ActiveDirectory machine accounts: same SID after machine rebuild?
How Do I Install a Webmin Module? [closed]
Openerp wIth Ubuntu 9.04
Max ping response time?
Can someone explain the difference between app server/web server/web services?
Why give owner anything other than 7 for file permissions?
Linux/SSH command to delete every filepath found in file
transparent git-svn gateway
What are the minimum RAM requirements for Server Core 2008 R2?
How to automate starting a multiuser screen session with adding acl to another user?