Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24514

Weak Filesystem Permissions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Ubuntu Server 12.04 64 bits

      In the default Ubuntu install, several config files (all but identity.key and the secrets/ folder) are set world readable on the FS.

      This includes files containing user's credentials/passwords (users/admin/config.xml). Even if LDAP is in use instead of default authentication, the config.xml for Jenkins itself is world readable, disclosing the LDAP binding password to any other user of the system.

      In production environments where more than one person can access the system vía SSH or other means, or where more than one application lives on the same server, this could lead to credentials disclosure to unauthorized people. As a result, permissions of files containing sensitive information should be tightened to prevent other non-root users from reading them.

      Version tested is 1.514

            kohsuke Kohsuke Kawaguchi
            adrianbn Adrian Bravo
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: