Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24513

Zero executors on master not well documented or enforced

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      As described here:

      http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html

      A user with "configure" privileges can execute arbitrary code in the context of the application server running jenkins, and leverage this to bypass authentication and take full control of the jenkins server. This is only a problem because the security matrix seems to be designed to separate privileges, and the fact a user with "configure" privs for a single project can take over the whole server is non-obvious to administrators.

      Do you think this is something that constitutes a legitimate flaw to fix? Or more just something to be documented?

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Seems to me that the core change should be fairly uncontroversial?

            Show
            danielbeck Daniel Beck added a comment - Seems to me that the core change should be fairly uncontroversial?
            Hide
            jglick Jesse Glick added a comment -

            If you have not configured a queue item authenticator then builds which succeeded before would begin failing. Which could be considered a good thing—security is now being enforced—but on the other hand would be a nasty surprise in an upgrade.

            Show
            jglick Jesse Glick added a comment - If you have not configured a queue item authenticator then builds which succeeded before would begin failing. Which could be considered a good thing—security is now being enforced—but on the other hand would be a nasty surprise in an upgrade.
            Hide
            jglick Jesse Glick added a comment -

            display an admin monitor when security is enabled yet there is no configured QueueItemAuthenticator

            This would be a reasonable follow-up to JENKINS-22949. For example:

            • include authorize-project in core/src/main/resources/jenkins/install/platform-plugins.json so people are guided to install it
            • display an admin monitor with varying messages when
              • there is no QueueItemAuthenticatorDescriptor; perhaps you need to install authorize-project?
              • there is no configured QueueItemAuthenticator; perhaps you need to configure it?
              • there is, but some jobs in the system are still set to run as SYSTEM; perhaps you need to configure a fallback authentication, such as to anonymous (or perhaps you deliberately set this job to be that way, in which case dismiss)
            Show
            jglick Jesse Glick added a comment - display an admin monitor when security is enabled yet there is no configured QueueItemAuthenticator This would be a reasonable follow-up to  JENKINS-22949 . For example: include authorize-project in core/src/main/resources/jenkins/install/platform-plugins.json so people are guided to install it display an admin monitor with varying messages when there is no QueueItemAuthenticatorDescriptor ; perhaps you need to install authorize-project ? there is no configured QueueItemAuthenticator ; perhaps you need to configure it? there is, but some jobs in the system are still set to run as SYSTEM ; perhaps you need to configure a fallback authentication, such as to anonymous (or perhaps you deliberately set this job to be that way, in which case dismiss)
            Hide
            jglick Jesse Glick added a comment -

            Daniel Beck notes that flyweight Pipeline tasks are also currently checked for Computer.BUILD on master, which makes no sense.

            Show
            jglick Jesse Glick added a comment - Daniel Beck notes that flyweight Pipeline tasks are also currently checked for Computer.BUILD on master, which makes no sense.
            Hide
            danielbeck Daniel Beck added a comment - - edited

            I got started on an admin monitor for Access Control for Builds.

            The problem I ran into was determining when to show it – on instances where everyone is an admin anyway, it's pointless.

            My first idea was a RunListener that checks its causes for a UserIdCause, and if that is not an admin, to trigger the admin monitor. But that seems too narrow of a condition, and we probably want to err on the side of showing it too often rather than too rarely.

            Perhaps it's good enough to check for the selected authorization strategy, and if it's not one of the three or so with clear privilege separation (and perhaps if there's at least two users), show it.

            Show
            danielbeck Daniel Beck added a comment - - edited I got started on an admin monitor for Access Control for Builds . The problem I ran into was determining when to show it – on instances where everyone is an admin anyway, it's pointless. My first idea was a  RunListener that checks its causes for a UserIdCause, and if that is not an admin, to trigger the admin monitor. But that seems too narrow of a condition, and we probably want to err on the side of showing it too often rather than too rarely. Perhaps it's good enough to check for the selected authorization strategy, and if it's not one of the three or so with clear privilege separation (and perhaps if there's at least two users), show it.

              People

              • Assignee:
                oleg_nenashev Oleg Nenashev
                Reporter:
                dfj David Jorm
              • Votes:
                1 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated: