3

I'm developing a system service in Java, and for the deployment I would like to do the following:

  1. Copy over the new Initd from the build
  2. Stop the service being deployed
  3. Overwrite/copy the new JAR/config example
  4. Start up the service.

Is there a way that I can do this without giving root access to jenkins? [For those non-jenkins folk: Jenkins uses SCP & SSH to do the copying and command sending] My concern is that if I give Jenkins root access that you're not limiting the permissions given. The scope of this is to only limit the change to that one service. (It doesn't depend on other services)

I'm willing to relax the first requirement as that it may make the solution more tricky.

monksy
  • 743

1 Answers1

0

There are a few questions already on this site about how to let just one user execute just one script as root (e.g. using sudo); basically you'll need to write a script that executes steps 2-4 (e.g. service foo stop; cp -f ~jenkins/service.init /etc/init.d/; service foo start), and give the jenkins user NOPASSWD permissions for that script in /etc/sudoers.

Fundamentally, though, allowing Jenkins to install an init script is the same as giving Jenkins (and anyone who can change the inputs that create the script and re-run the job) full root access, because the init script will run as root when you reboot.

Community
  • 1
  • I'm fine with not having jenkins do the install of the init script. But is it possible to do all of the service maintence [stop/start] without having root access? – monksy Oct 16 '15 at 21:10