Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, I am not sure if this is technically the best place for this problem but it is within a script so maybe it is. So I have 2 users. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2013
    Posts
    3

    Sudo problem in automation script


    Hi, I am not sure if this is technically the best place for this problem but it is within a script so maybe it is.
    So I have 2 users.
    First is "jenkins" second is "ninjonxb". Both of these accounts have nopassword (we are hoping to only have jenkins have nopassword if there is another way but right now they both do) and !requiretty
    In my script. It will ssh into a server with the jenkins credentials. If possible also make it so when calling the ruby script mentioned below $SUDO_USER == ninjonxb not jenkins. If this isnt possible I can edit the script.
    I have a script that user "jenkins" it needs to call with sudo privileges with the enviornment variables of "ninjonxb".
    I tried the following but it isn't working
    sudo -i -u ninjonxb sudo -E ruby scriptname

    I also tried
    sudo su ninjonxb -c "ruby scriptname"
    but that didnt work either.

    I don't have much experience with linux. This is only going to be used internally so if I need to make other edits to the sudoers file I may be able to make it. This is never hitting a production server.

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    hello and welcome, ninjonxb!

    if i understand you rightly, you need user "jenkins" to run a ruby script named "scriptname" as user "ninjonxb". is that right?

    If so, the first thing i'd do is make the ruby script executable. to do that, put the path to the ruby parse at the top of the script, e.g.:

    Code:
    #!/usr/bin/ruby
    then use chmod to make it executable, e.g.:
    Code:
    chmod +x scriptname
    now execute it from the command line, to make sure it works without specifying ruby first, e.g.:

    Code:
    ./scriptname
    also, you'll need to know the full path to the script for editing the sudoers file.

    now edit the sudoers file (as root using the visudo command usually), you'll need something like this:

    Code:
    jenkins ALL = (ninjonxb) NOPASSWD: /usr/local/bin/scriptname
    now user jenkins should be able to run that script as ninjonxb. to list the sudo commands allowed by jenkins, then do this in a terminal (logged in as jenkins):

    Code:
    sudo -l
    (that is a lower case "L", not a number one)

    if you see the scriptname listed there, you should be good. now test running the command like this (as jenkins):

    Code:
    sudo -u ninjonxb /usr/local/bin/scriptname
    now you should be able to use that sudo command in a script.

    if you get errors, post them here. check /var/log/messages and /var/log/secure if you don't see any errors, but it doesn't work.

  3. #3
    Just Joined!
    Join Date
    Oct 2013
    Posts
    3
    I will be able to try this in a few. However I wanted to ask.

    The ruby script that is being called needs to be run as sudo. It does certain things in the script that need sudo privileges.

    My understanding of sudo -u is that it opens a new shell as the user with whatever privileges that user has which I would think would mean that the ruby script is not being run in sudo.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Oct 2013
    Posts
    3
    ok, So follow up to the answer provided.
    Something is acting strange that we don't understand.
    So here is what I have in my sudoers file:

    Code:
    ninjonxb        ALL=NOPASSWD:   ALL
    Defaults:ninjonxb       !requiretty
    jenkins         ALL=NOPASSWD:   ALL
    Defaults:jenkins       !requiretty
    jenkins ALL = (ninjonxb) NOPASSWD: ALL #I have tried with and without this line
    I did 'all' instead of the particular file due to the sudo privileges needed for everything that is happening

    In our environment ruby is installed inside shared home directories. The home directory for jenkins does not and so it mirrors production, cant have ruby in it.

    So the first problem is that the jenkins user doesnt have ruby, this may be fixed by the solution but wanted to list this if there any creative ideas


    The problem we are actually seeing is this.
    Outside of my script, as jenkins I run:
    Code:
    sudo -u ninjonxb ruby
    I am just using ruby as something to test
    It prompts me for the jenkins password. Shouldn't this not happen because of what is in my sudoers file?

  6. #5
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    usually you have to explicitly specify the command you wish to run, e.g.

    Code:
    /usr/bin/ruby
    so i would think you need to run:

    Code:
    sudo -u ninjonxb /usr/bin/ruby
    but you need to pass it a script after that, which is why i suggested to make the script the sudo command to specify.

    but before all that, what does this command say?

    Code:
    sudo -l
    it should list all commands that the currently logged in user can run.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •