Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24513

Zero executors on master not well documented or enforced

    • 2.289.1, 2.286

      As described here:

      http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html

      A user with "configure" privileges can execute arbitrary code in the context of the application server running jenkins, and leverage this to bypass authentication and take full control of the jenkins server. This is only a problem because the security matrix seems to be designed to separate privileges, and the fact a user with "configure" privs for a single project can take over the whole server is non-obvious to administrators.

      Do you think this is something that constitutes a legitimate flaw to fix? Or more just something to be documented?

          [JENKINS-24513] Zero executors on master not well documented or enforced

          David Jorm created issue -

          Jesse Glick added a comment -

          Currently this is just something to be documented, that a secure installation should have zero executors on master (or otherwise have restricted jobs able to run on master to only those which users who already have Overall/RunScripts may configure).

          Better would be for this to be an administrative warning. Or Jenkins could actually check the authentication associated with a build done on master to verify that it has RUN_SCRIPTS.

          Jesse Glick added a comment - Currently this is just something to be documented, that a secure installation should have zero executors on master (or otherwise have restricted jobs able to run on master to only those which users who already have Overall/RunScripts may configure). Better would be for this to be an administrative warning. Or Jenkins could actually check the authentication associated with a build done on master to verify that it has RUN_SCRIPTS .
          Jesse Glick made changes -
          Assignee Original: Kohsuke Kawaguchi [ kohsuke ]
          Issue Type Original: Bug [ 1 ] New: Improvement [ 4 ]
          Summary Original: Potential privilege escalation issue New: Zero executors on master not well documented or enforced

          I agree with Jesse. Given also that the referenced post is already public, I'm moving this into to general JENKINS project.

          Kohsuke Kawaguchi added a comment - I agree with Jesse. Given also that the referenced post is already public, I'm moving this into to general JENKINS project.
          Kohsuke Kawaguchi made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: core [ 15738 ]
          Key Original: SECURITY-156 New: JENKINS-24513
          Project Original: Security Issues [ 10180 ] New: Jenkins [ 10172 ]
          Workflow Original: Security v1.2 [ 157284 ] New: JNJira [ 157499 ]
          Status Original: Untriaged [ 10001 ] New: Open [ 1 ]

          Daniel Beck added a comment -

          Jenkins allows users with configure privileges to run arbitrary shell or batch scripts as the user Jenkins runs as (bonus: When using the Windows installer, it runs as SYSTEM).

          How is this NOT obvious?

          Daniel Beck added a comment - Jenkins allows users with configure privileges to run arbitrary shell or batch scripts as the user Jenkins runs as (bonus: When using the Windows installer, it runs as SYSTEM). How is this NOT obvious?

          Jesse Glick added a comment - - edited

          Well in practice it is not so obvious.

          Also there are some use cases for administrators to configure special projects that must run on the master, to do backups and the like. For these cases you want to leave some executor slots open, yet block regular projects from using them. The natural way to do that would be to have Jenkins.MasterComputer.checkPermission(Computer.BUILD) require RUN_SCRIPTS on Jenkins, so that only admin-authorized projects could run on it; and then display an admin monitor when security is enabled yet there is no configured QueueItemAuthenticator.

          Jesse Glick added a comment - - edited Well in practice it is not so obvious. Also there are some use cases for administrators to configure special projects that must run on the master, to do backups and the like. For these cases you want to leave some executor slots open, yet block regular projects from using them. The natural way to do that would be to have Jenkins.MasterComputer.checkPermission(Computer.BUILD) require RUN_SCRIPTS on Jenkins , so that only admin-authorized projects could run on it; and then display an admin monitor when security is enabled yet there is no configured QueueItemAuthenticator .
          Jesse Glick made changes -
          Labels New: security
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-30749 [ JENKINS-30749 ]
          Jesse Glick made changes -
          Labels Original: security New: 2.0 security

            Unassigned Unassigned
            dfj David Jorm
            Votes:
            1 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: