How does Jenkins build with the jenkins user in ubuntu while it has no permissions?

Question

I have my project running in ubuntu server and I did everything through the user myname. The project files, all related directories and static files used by my application belongs to the user myname.

Now I want to set up Jenkins Freestyle project for CI/CD in the ubuntu server, when I install Jenkins, a new jenkins user is created.

In the build step, when jenkins performs the job through Execute shell, it executes the shell commands through the jenkins user instead of the default myname user, which has No permissions to anything about the app. Therefore, it's impossible for Jenkins build to work:

it cannot execute git pull origin master through jenkins user to pull the latest changes;
it cannot run the venv/bin/python myapp.py to start the application
even if i change the owner of myapp.py to the jenkins user, the running process cannot access any directories/storages/static files with the jenkins user.
So, I'll have to do sudo chown -R jenkins:jenkins * on everything I've worked, everything that's related to my app.

This seems to be really silly. I must have missed something obvious...

What is a elegant way for Jenkins to work?

@Raman mentioned that I should run the commands with sudo -u myname; I tried so:

The Jenkins build Execute shell commands of the Freestyle project are defined as follows:

cd /home/john/jenkins_test/
whoami
sudo -u john whoami 
sudo -u john git pull

The Jenkin build shows the following output:

[test] $ /bin/sh -xe /tmp/jenkins2232617598308237553.sh
+ cd /home/john/jenkins_test/
+ whoami
jenkins
+ sudo -u john whoami
sudo: no tty present and no askpass program specified
Build step 'Execute shell' marked build as failure
Finished: FAILURE

@RamanSailopal Thank you for your reply. Could you check my updates in the question? I tried but it didn't work... — Kid_Learning_C, Nov 06 '20 at 14:56
@RamanSailopal No, don't do that!!! Never!!! You can loose your job for this and it would be correct to fire you. — Thomas Sablik, Nov 06 '20 at 14:57
You'd have to allow either `sudo` or `sudo -u john`. The former means that the development has complete admin rights on that system. The latter is just the wrong way. — Thomas Sablik, Nov 06 '20 at 15:03
@ThomasSablik So why is it wrong to give complete admin rights? How should I configure Jenkins to build then? This seems to be a very basic question to anyone who tries to use Jenkins, and yet I couldn't find official documentations about it... — Kid_Learning_C, Nov 06 '20 at 15:08
@ThomasSablik makes a fair point. My comment could have been written better. I would suggest putting the necessary commands in a specific script and allow sudo access to that specific script. — Raman Sailopal, Nov 06 '20 at 15:10
In a serious company you have the development and the operating. Operating manages the systems. Development has at most reading permission for some directories. Running such scripts with admin rights means that the developers can create new users with admin rights and hack your systems. If you think it's okay to run scripts with admin permissions you haven't understood the Linux permission system. Most build machines have passwords for production systems. A developer shouldn't be able to get access to these passwords. — Thomas Sablik, Nov 06 '20 at 15:10
@ThomasSablik I see. That's fair. I'm not in a serious company though lol. I'm doing all the dev and ops on my own. How to allow Jenkins to execute shell commands with `sudo` though? — Kid_Learning_C, Nov 06 '20 at 15:14
@RamanSailopal How to allow Jenkins to execute shell commands with `sudo` though? — Kid_Learning_C, Nov 06 '20 at 15:15

score 0 · Answer 1 · answered Nov 07 '20 at 06:37

After a long time of searching and trying, I found the solution. Below are a summary of things you can do:

Method 1

reference:jenkins build failure shell command permission denied

Since everything belongs to the myname user, just add the jenkins user to the myname group:

sudo usermod -a -G myname jenkins

and the command groups jenkins should show:

> myname@vm:~/myname/jenkins_test$ groups jenkins
> jenkins : jenkins myname

Now you must restart jenkins for this change to take effect:

 `sudo systemctl restart jenkins`

Build again, it works. This is the method I've tried.

Method 2

I have not tried this method yet. Just listing it for reference. In the Jenkins build Execute shell, put commands with sudo, e.g. sudo git pull; When building, there will be an error:

sudo: no tty present and no askpass program specified

In order for jenkins user to run as sudo, edit the /etc/sudoers file:

sudo visudo

and add this line to the end of the file: jenkins ALL=(ALL) NOPASSWD: ALL

Then restart Jenkins

ref: https://stackoverflow.com/a/37653164/3703783

https://stackoverflow.com/a/24648413/3703783

Method 3

I have not tried this method yet. Just listing it for reference.

change jenkins default user to myname in sudo vi /etc/default/jenkins;
To restart successfully, also need to change owner of: /var/lib/jenkins

/var/log/jenkins

/var/cache/jenkins

to the myname user.

ref: https://dev-admin-docs.readthedocs.io/en/latest/Jenkins%20CI/Run_Jenkins_Under_Another_Username/

http://blog.manula.org/2013/03/running-jenkins-under-different-user-in.html

I still cannot believe it... This is such a basic question to anyone who tries to use Jenkins, and yet I couldn't find official documentations about it..

score 0 · Answer 2 · answered Dec 14 '20 at 08:53

I could not find any documentation about this first step required on a Linux box either.

Following your method 1 the following seems to work for me after installation with yast on OpenSUSE 15.1

Changed the entry for the "jenkins" user in /etc/passwd so "jenkins" group is the development group.
chown /var/lib/jenkins to be owned by jenkins:development
Changed the umask of development group members so group members have write permission
restart the host

How does Jenkins build with the jenkins user in ubuntu while it has no permissions?

2 Answers2