问题
We have the following setup:
- We have few UNIX boxes.
- There are users provisioned to these boxes (ex: spande).
- These users have limited privileges, but can do sudo to elevate the permissions (sudo user: admin).
- The sudo happens without any password.
We have a CICD tool in Jenkins which uses these Unix boxes as slave. We have spande credentials to login into this unix servers via Jenkins.
We are using Jenkins Pipeline Scripts (groovy). All is well, but we want the Jenkins script to run with a higher previlige and hence need to know:
- how can we do sudo within Jenkins script? (sudo su - admin)
- is this a best practice / good approach to sudo within a script? If not, what other alternative we have? (our Unix server team is not ready to create a password enabled user with higher privileges due to organisation policies)
Any help is appreciated!!
回答1:
Generally speaking using sudo as part of a script is fine, so long as you're not granting higher permissions than you need. Instead of running su - admin it's usually better to figure out which commands Jenkins needs to run as admin and put those into your sudoers file directly.
Say you need to run the following programs as user admin as part of your Jenkins job:
/usr/bin/execute
/home/admin/calculate
/opt/synergize
Your sudoers file could look something like this (assuming your Jenkins user is jenkins):
jenkins ALL = (admin) NOPASSWD: /usr/bin/execute, /home/admin/calculate, /opt/synergize
This would allow the jenkins user to run the following commands without a password:
sudo -u admin /usr/bin/execute
sudo -u admin /home/admin/calculate
sudo -u admin /opt/synergize
From a security standpoint this is preferred to providing su - admin access, since then jenkins could do anything admin could without any real restrictions. The sudoers file is very flexible and you should be able to restrict jenkins while still allowing it to do the job it needs to do.
来源:https://stackoverflow.com/questions/52379157/sudo-inside-jenkins-pipeline-script