Executing a shell script as another user in JENKINS-CI

Recently i came accross a problem with jenkins to run a script as another user (you know because only some users can access/remove/create files)

Here is one, hopefully secured enough, solution, that i ran using ubuntu (should be very similar in other linux systems):

1. Create a custom password for jenkins user
sudo passwd jenkins

2. Add jenkins to sudoers list
sudo nano /etc/sudoer and add one line
jenkins ALL=(ALL) ALL

3. Create a file with the jenkins password inside and limit read access only to jenkins user
sudo su - jenkins
echo 'the_jenkins_password' > pwd
chmod 600 pwd
exit

4. Execute your script
In your custom build create a free form build and select “Execute Shell” in build steps and in the box do:
cat /var/lib/jenkins/pwd | sudo -S su - another_user_name -c "sh /path/to/your/script.sh"

Et voila, your script start as your user name!

8 responses to this post.

  1. Posted by Bryan Stenson on 24-05-2012 at 21:51

    if you add “NOPASSWD” to your sudoers file, you don’t have to store the jenkins password…which is a really bad idea.

    Reply

  2. Posted by fortm on 29-01-2013 at 19:28

    after spending whole day how to do this,, finally a working solution ! thanks a lot..

    Reply

  3. Adding a password to user jenkins lowers security as it becomes possible to login as jenkins user. I am thinking about using the ssh plugin to run scripts on the same machine.

    Reply

  4. Posted by Blue on 13-08-2013 at 20:39

    You can set NOPASSWD in visudo for one specified command (your script) and avoid reading password everytime you run the script. Keeping passwords on disk in text files does not sound safe to me…

    Reply

  5. Excellent writeup. But I do not understand why you put ‘-S’ in your sudo command.

    Reply

  6. Posted by Aaron Wilson on 05-06-2014 at 20:10

    The -S (stdin) option causes sudo to read the password from the standard input instead of the terminal device.

    Reply

  7. Posted by Aaron Wilson on 05-06-2014 at 20:19

    Rather than storing the password on the file system, it is best to check the “Inject passwords to the build as environment variables” and create an environment variable (e.g. JENKINS_PWD) and enter the password. Then in the build step, you can do something like the following:

    echo “${JENKINS_PWD}” | sudo -S su – -c “”

    Reply

  8. Posted by Willem Groeneveld on 27-06-2016 at 16:03

    Thanks! Saved my day. One tiny detail: on Ubuntu 14.04 it is /etc/sudoers (so file ends with an s)

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: