In the default Ubuntu install, several config files (all but identity.key and the secrets/ folder) are set world readable on the FS.

This includes files containing user's credentials/passwords (users/admin/config.xml). Even if LDAP is in use instead of default authentication, the config.xml for Jenkins itself is world readable, disclosing the LDAP binding password to any other user of the system.

In production environments where more than one person can access the system vía SSH or other means, or where more than one application lives on the same server, this could lead to credentials disclosure to unauthorized people. As a result, permissions of files containing sensitive information should be tightened to prevent other non-root users from reading them.

Version tested is 1.514