Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56617

Node-based security is ignored with pipelines

    Details

    • Similar Issues:

      Description

      Node-based security is ignored in Pipelines. Restricting "build" on a node to specific users has no effect.

      Reproduction:

      1. Create a node, let's say "test-node"
      2. Use restrictions to end up with a user that has access to Jenkins and can create pipelines but does not have "build" permission on that node
      3. Create a new job of type pipeline and add this code to it:
      node('test-node') { sh 'ls -la ..' }
       
      1. No matter which user will start this job, he will be allowed to do it and be able to read files on that node. I would expect that running the job is denied for users who do not have "build" access to that node.

      That opens up the problem that users who are allowed to create jobs (which is not generally a bad idea) can use this to spy on nodes they are not allowed to use.

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Christian Gredig do you have the Authorize Project plugin configured on your instance? Without it Computer.BUILD permission does nothing for Pipeline or Freestyle jobs

            Show
            oleg_nenashev Oleg Nenashev added a comment - Christian Gredig do you have the Authorize Project plugin configured on your instance? Without it Computer.BUILD permission does nothing for Pipeline or Freestyle jobs
            Hide
            jglick Jesse Glick added a comment -

            First of all, do not report even suspected security vulnerabilities in the public tracker. See the guidelines.

            As Oleg Nenashev pointed out, builds have unrestricted permissions unless you do something to restrict them, by installing and configuring the Authorize Project plugin.

            Show
            jglick Jesse Glick added a comment - First of all, do not report even suspected security vulnerabilities in the public tracker. See the guidelines . As Oleg Nenashev pointed out, builds have unrestricted permissions unless you do something to restrict them, by installing and configuring the Authorize Project plugin.
            Hide
            konzertheld Christian Gredig added a comment -

            Oleg Nenashev How could I have known this?

            Jesse Glick I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there (they should, propably). Also, this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin you mentioned - I can confirm it worked.

            Thanks for your answers though. My problem is solved, I just wonder how we can protect other users from running into the same problems.

            Show
            konzertheld Christian Gredig added a comment - Oleg Nenashev How could I have known this? Jesse Glick I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there (they should, propably). Also, this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin you mentioned - I can confirm it worked. Thanks for your answers though. My problem is solved, I just wonder how we can protect other users from running into the same problems.
            Hide
            jglick Jesse Glick added a comment -

            How could I have known this?

            We are already working on improved documentation and runtime alerts in this area.

            I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there

            Hmm. Can you give me an example URL?

            this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin

            Arguably yes, but we have not yet devised a way of enforcing full protection from the start without breaking thousands of Jenkins installations trying to upgrade, which is why we are starting with administrative notifications.

            Show
            jglick Jesse Glick added a comment - How could I have known this? We are already working on improved documentation and runtime alerts in this area. I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there Hmm. Can you give me an example URL? this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin Arguably yes, but we have not yet devised a way of enforcing full protection from the start without breaking thousands of Jenkins installations trying to upgrade, which is why we are starting with administrative notifications.
            Hide
            jglick Jesse Glick added a comment -

            See discussion surrounding JENKINS-24513 for example.

            Show
            jglick Jesse Glick added a comment - See discussion surrounding JENKINS-24513 for example.
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            FTR my slides about common security pitfalls in Jenkins, slide 76 and further https://static.sched.com/hosted_files/devopsworldjenkinsworld2018/5f/DWJW2018_CommonSecurityPitfalls.pdf 

            As Jesse Glick mentioned, JENKINS-24513 is probably the starting point for the discussion. In Jenkins 2.168 Daniel Beck has added an administrative monitor to make this situation explicit

            Show
            oleg_nenashev Oleg Nenashev added a comment - FTR my slides about common security pitfalls in Jenkins, slide 76 and further  https://static.sched.com/hosted_files/devopsworldjenkinsworld2018/5f/DWJW2018_CommonSecurityPitfalls.pdf   As Jesse Glick mentioned,  JENKINS-24513 is probably the starting point for the discussion. In Jenkins 2.168 Daniel Beck has added an administrative monitor to make this situation explicit
            Hide
            danielbeck Daniel Beck added a comment -

            We are already working on improved documentation and runtime alerts in this area.

            Specifically, the latest weeklies contain UI notifying admins about this. See https://user-images.githubusercontent.com/1831569/53601162-b2663580-3bab-11e9-9da8-93043aaf369c.png for how this looks like at the first stage. It links to https://jenkins.io/doc/book/system-administration/security/build-authorization/

            Hmm. Can you give me an example URL?

            The description of "Summary" in the Create Issue screen links to https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue and I'm really happy someone's actually reading this

            That said, https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue#Howtoreportanissue-Creatingtheissue says to report security issues in the Security project in Jira. It's less big, bold, and red than it could be, but at some point all that's left is big, bold, and red instructions. Perhaps this makes the cut to be bold and red? Suggestions (or edits) welcome.

            Show
            danielbeck Daniel Beck added a comment - We are already working on improved documentation and runtime alerts in this area. Specifically, the latest weeklies contain UI notifying admins about this. See https://user-images.githubusercontent.com/1831569/53601162-b2663580-3bab-11e9-9da8-93043aaf369c.png for how this looks like at the first stage. It links to https://jenkins.io/doc/book/system-administration/security/build-authorization/ Hmm. Can you give me an example URL? The description of "Summary" in the Create Issue screen links to https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue and I'm really happy someone's actually reading this That said, https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue#Howtoreportanissue-Creatingtheissue says to report security issues in the Security project in Jira. It's less big, bold, and red than it could be, but at some point all that's left is big, bold, and red instructions. Perhaps this makes the cut to be bold and red? Suggestions (or edits) welcome.
            Hide
            konzertheld Christian Gredig added a comment -

            Ah, now I see the entry for the security project! Thanks for the explanation and sorry for disregarding it in the first place. I am also looking forward to the admin UI enhancements. And yes, maybe the security hint might make the "bold red" list.

            Show
            konzertheld Christian Gredig added a comment - Ah, now I see the entry for the security project! Thanks for the explanation and sorry for disregarding it in the first place. I am also looking forward to the admin UI enhancements. And yes, maybe the security hint might make the "bold red" list.

              People

              • Assignee:
                Unassigned
                Reporter:
                konzertheld Christian Gredig
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: