If a jenkins user has job/configure and job/build priviledge and can run build on master, he can run a shell script to get all data in JENKINS_HOME, including all of jekins secret tokens and all of personal secrets of jenkins users.

Apparently, he can also modify configuration files on disk, even though the modification will not take effects immediately.

Please fix it!