Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18884

Seperate Permission for People View to close Security Hole with AD Plugin

    • 2.452

      Even when choosing the most restricted user rights (Role Plugin: Global Role only 1 Read), it is possible for every user to view the Jenkins User Id AND the name of the user (see screenshots).
      Working with an Active Directory for authentication, this means its possible for everybody to get the user names from AD AND the common names (Security Hole with AD Plugin?).

      Goal: create a Permission to allow specific People/Roles to see this User Account info and deny it to all others.

          [JENKINS-18884] Seperate Permission for People View to close Security Hole with AD Plugin

          Annabella Schmidt created issue -
          Annabella Schmidt made changes -
          Attachment New: Jenkins_PeopleView.png [ 24106 ]
          Annabella Schmidt made changes -
          Labels Original: configuration jenkins matrix security New: configuration core jenkins matrix security

          Daniel Beck added a comment -

          Without permission to view people, other views that can also be used to list people known to Jenkins should be restricted as well, like 'Changes' (remove author information?).

          Maybe even information such as the field about who created a slave? Who started a build?

          There's little there can be done for change lists sent via email-ext though. Other plugins might also provide ways to circumvent restrictions.

          Daniel Beck added a comment - Without permission to view people, other views that can also be used to list people known to Jenkins should be restricted as well, like 'Changes' (remove author information?). Maybe even information such as the field about who created a slave? Who started a build? There's little there can be done for change lists sent via email-ext though. Other plugins might also provide ways to circumvent restrictions.

          ikedam added a comment -

          @danielbeck
          I'm afraid you completely misunderstand this issue.

          1. The severity is completely different that all users in Jenkins are visible and that some of users in a project is visible.
          2. Changelogs can be restrict to open only to users related to that project by using Matrix Authorization Strategy Plugin. This issue is that there is no way to restrict access to "People" view.
          3. Even though there are other security issues in Jenkins, it cannot be a reason to leave this issue.
          4. Even though there are plugins with security issues, it cannot be a reason for Jenkins not to care security.

          It is not reasonable to force users change their existing security policy only in order to introduce Jenkins.

          Of course, other problems you pointed should not be left.
          They should be considered to fix if someone cannot stand with them.

          ikedam added a comment - @danielbeck I'm afraid you completely misunderstand this issue. 1. The severity is completely different that all users in Jenkins are visible and that some of users in a project is visible. 2. Changelogs can be restrict to open only to users related to that project by using Matrix Authorization Strategy Plugin. This issue is that there is no way to restrict access to "People" view. 3. Even though there are other security issues in Jenkins, it cannot be a reason to leave this issue. 4. Even though there are plugins with security issues, it cannot be a reason for Jenkins not to care security. It is not reasonable to force users change their existing security policy only in order to introduce Jenkins. Of course, other problems you pointed should not be left. They should be considered to fix if someone cannot stand with them.

          ikedam added a comment - - edited

          Notes for customization:

          • Links to people list (/asynchPeople, /people) are available at:
            • core/src/main/resources/hudson/model/User/sidepanel.jelly
            • core/src/main/resources/hudson/model/View/AsynchPeople/index.jelly
            • core/src/main/resources/hudson/model/View/People/index.jelly
            • core/src/main/resources/hudson/model/View/sidepanel.jelly
            • core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly (in blurb)
          • Methods providing people list to views are:
            • jenkins.model.Jenkins#getAsynchPeople()
            • jenkins.model.Jenkins#getPeople()
            • hudson.model.View#getAsynchPeople()
            • hudson.model.View#getPeople()
          • Models of people are:
            • hudson.model.View.People
            • hudson.model.View.AsynchPeople (subclass of jenkins.util.ProgressiveRendering)

          ikedam added a comment - - edited Notes for customization: Links to people list (/asynchPeople, /people) are available at: core/src/main/resources/hudson/model/User/sidepanel.jelly core/src/main/resources/hudson/model/View/AsynchPeople/index.jelly core/src/main/resources/hudson/model/View/People/index.jelly core/src/main/resources/hudson/model/View/sidepanel.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/index.jelly (in blurb) Methods providing people list to views are: jenkins.model.Jenkins#getAsynchPeople() jenkins.model.Jenkins#getPeople() hudson.model.View#getAsynchPeople() hudson.model.View#getPeople() Models of people are: hudson.model.View.People hudson.model.View.AsynchPeople (subclass of jenkins.util.ProgressiveRendering )

          Daniel Beck added a comment -

          Possible workaround: Hide Jenkins behind a reverse proxy (e.g. Apache). Configure it to listen only on the 127.0.0.1 interface (--httpListenAddress=127.0.0.1). Forbid access to people/asynchPeople URLs. Those links will then result in 403 Forbidden.

          Sample Apache httpd.conf excerpt, assuming reverse proxy and Jenkins are running on the same host, Jenkins on port 8080, Apache on port 80:

          <VirtualHost *:80>
                  RewriteEngine On
                  ServerName jenkins.example.org # change to actual server name
                  RewriteRule /asynchPeople/ - [F]
                  RewriteRule /people/ - [F]
                  ProxyPass         /  http://localhost:8080/
                  ProxyPassReverse  /  http://localhost:8080/
                  ProxyRequests     Off
          </VirtualHost>
          

          Of course, this simple pattern will prohibit access to e.g. the job named 'people' as well. Haven't tested this with all possible Jenkins URLs, making sure it works for those is left as an exercise to the reader

          This should keep at least most of the users out, even if it's likely not a 100% solution.

          Daniel Beck added a comment - Possible workaround: Hide Jenkins behind a reverse proxy (e.g. Apache). Configure it to listen only on the 127.0.0.1 interface ( --httpListenAddress=127.0.0.1 ). Forbid access to people/asynchPeople URLs. Those links will then result in 403 Forbidden. Sample Apache httpd.conf excerpt, assuming reverse proxy and Jenkins are running on the same host, Jenkins on port 8080, Apache on port 80: <VirtualHost *:80> RewriteEngine On ServerName jenkins.example.org # change to actual server name RewriteRule /asynchPeople/ - [F] RewriteRule /people/ - [F] ProxyPass / http: //localhost:8080/ ProxyPassReverse / http: //localhost:8080/ ProxyRequests Off </VirtualHost> Of course, this simple pattern will prohibit access to e.g. the job named 'people' as well. Haven't tested this with all possible Jenkins URLs, making sure it works for those is left as an exercise to the reader This should keep at least most of the users out, even if it's likely not a 100% solution.
          ikedam made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: active-directory [ 15526 ]
          Component/s Original: matrix [ 15501 ]
          Labels Original: configuration core jenkins matrix security New: configuration core jenkins security

          ikedam added a comment -

          Send a pull request.
          https://github.com/jenkinsci/jenkins/pull/1094

          Not created a new permission, but added configuration that People page requires READ permission or ADMINISTER permission.

          ikedam added a comment - Send a pull request. https://github.com/jenkinsci/jenkins/pull/1094 Not created a new permission, but added configuration that People page requires READ permission or ADMINISTER permission.

          ikedam added a comment -

          Another approach.
          https://github.com/jenkinsci/jenkins/pull/1094

          From the beginning, People page does not need to list ALL users in Jenkins, does it?

          ikedam added a comment - Another approach. https://github.com/jenkinsci/jenkins/pull/1094 From the beginning, People page does not need to list ALL users in Jenkins, does it?

            danielbeck Daniel Beck
            night_shift Annabella Schmidt
            Votes:
            21 Vote for this issue
            Watchers:
            29 Start watching this issue

              Created:
              Updated:
              Resolved: