• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Ubuntu Server 12.04 64 bits

      In the default Ubuntu install, several config files (all but identity.key and the secrets/ folder) are set world readable on the FS.

      This includes files containing user's credentials/passwords (users/admin/config.xml). Even if LDAP is in use instead of default authentication, the config.xml for Jenkins itself is world readable, disclosing the LDAP binding password to any other user of the system.

      In production environments where more than one person can access the system vía SSH or other means, or where more than one application lives on the same server, this could lead to credentials disclosure to unauthorized people. As a result, permissions of files containing sensitive information should be tightened to prevent other non-root users from reading them.

      Version tested is 1.514

          [JENKINS-24514] Weak Filesystem Permissions

          Adrian Bravo created issue -
          Kohsuke Kawaguchi made changes -
          Workflow Original: jira [ 149514 ] New: Security [ 152183 ]
          Kohsuke Kawaguchi made changes -
          Workflow Original: Security [ 152183 ] New: Security v1.1 [ 152277 ]
          Kohsuke Kawaguchi made changes -
          Workflow Original: Security v1.1 [ 152277 ] New: Security v1.2 [ 152372 ]
          Kohsuke Kawaguchi made changes -
          Component/s New: core [ 15593 ]
          Component/s Original: core [ 15738 ]
          Key Original: SECURITY-81 New: JENKINS-24514
          Project Original: Security Issues [ 10180 ] New: Jenkins [ 10172 ]
          Workflow Original: Security v1.2 [ 152372 ] New: JNJira [ 157500 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Daniel Beck made changes -
          Link New: This issue is related to JENKINS-25065 [ JENKINS-25065 ]
          Daniel Beck made changes -
          Link New: This issue is related to JENKINS-25025 [ JENKINS-25025 ]
          Daniel Beck made changes -
          Link New: This issue is related to JENKINS-24987 [ JENKINS-24987 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 157500 ] New: JNJira + In-Review [ 193156 ]

            kohsuke Kohsuke Kawaguchi
            adrianbn Adrian Bravo
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: