[JENKINS-11323] dist-fork allows me too much privilege

Type: Bug
Resolution: Fixed
Priority: Major
Component/s: distfork-plugin
Labels:
None

Similar Issues:
Powered by SuggestiMate

Show

Quoting from #jenkins:
[19:21] <sanga> we have a bunch of nodes running on windows boxes. where the node-agent is running with System rights.
[19:22] <sanga> and our jenkins instance has the following security policy: anonymous users are allowed to run a build but you need to authenticate (and have the appropriate privileges) to configure a job
[19:23] <sanga> however, with the dist-fork plugin I am able to run: "....dist-fork cmd"
[19:23] <sanga> which will give me a terminal shell with system rights on the node
[19:23] <sanga> without needing to authenticate...
[19:25] <sanga> it seems to me that dist-fork is currently handled (in terms of access rights) as a job "run"
[19:25] <sanga> whereas it should be handled as a job "configure"

Oleg Nenashev added a comment - 2014-05-21 22:36

Fixed the component

Oleg Nenashev added a comment - 2014-05-21 22:36 Fixed the component

Jesse Glick added a comment - 2017-03-21 13:44

https://jenkins.io/security/advisory/2017-03-20/

Jesse Glick added a comment - 2017-03-21 13:44 https://jenkins.io/security/advisory/2017-03-20/

Assignee:: Unassigned

Reporter:: sanga

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2011-10-12 05:53

Updated:: 2017-03-21 13:44

Resolved:: 2017-03-21 13:44

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Oleg Nenashev added a comment - 2014-05-21 22:36

Expand comment: Oleg Nenashev added a comment - 2014-05-21 22:36

Collapse comment: Jesse Glick added a comment - 2017-03-21 13:44

Expand comment: Jesse Glick added a comment - 2017-03-21 13:44

People

Dates