[JENKINS-26862] Jenkins should set a SecurityManager (prevent rogue scripts exiting)

Type: Improvement
Resolution: Unresolved
Priority: Major
Component/s: core, groovy-plugin
Labels:
None
Environment:
Any

Similar Issues:
Powered by SuggestiMate

Show

Jenkins should set a SecurityManager and explicity trap out calls to System.exit from plugins.

This would prevent eg. the following script from taking out the whole web container:
System.exit(0)

Groovy even provides a NoExitSecurityManager for this purpose.

Ed Randall created issue - 2015-02-09 17:02

Daniel Beck added a comment - 2015-02-09 18:14

Wouldn't it suffice to fix plugins so they use Script Security Plugin for everything groovy?

Daniel Beck added a comment - 2015-02-09 18:14 Wouldn't it suffice to fix plugins so they use Script Security Plugin for everything groovy?

R. Tyler Croy made changes - 2016-07-25 23:51

Workflow

Original: JNJira [ 161038 ]

New: JNJira + In-Review [ 180549 ]

Daniel Beck added a comment - 2017-04-10 20:51

FTR https://jenkins.io/security/advisory/2017-04-10/ so this can probably be Won't Fixed? A security manager alone won't prevent all the evilness in scripts, there's no way around sandboxing or admin approval.

Daniel Beck added a comment - 2017-04-10 20:51 FTR https://jenkins.io/security/advisory/2017-04-10/ so this can probably be Won't Fixed? A security manager alone won't prevent all the evilness in scripts, there's no way around sandboxing or admin approval.

Ed Randall added a comment - 2017-04-11 07:19 - edited

Think beyond the headline and into the description - whilst a 'security manager' is the solution, this is not really about security but rather more about preventing a casual or accidental System.exit placed in a script from exiting the whole Jenkins and causing an unintended outage. Of course it can likely be circumvented with determination. I can't think of any situation where System.exit would be desirable and the given securitymanager traps this. It's a simple thing to do which will save teams from their own accidents. WONTFIX would be rather disappointing.

Ed Randall added a comment - 2017-04-11 07:19 - edited Think beyond the headline and into the description - whilst a 'security manager' is the solution, this is not really about security but rather more about preventing a casual or accidental System.exit placed in a script from exiting the whole Jenkins and causing an unintended outage. Of course it can likely be circumvented with determination. I can't think of any situation where System.exit would be desirable and the given securitymanager traps this. It's a simple thing to do which will save teams from their own accidents. WONTFIX would be rather disappointing.

Daniel Beck added a comment - 2017-06-22 18:47

abayer recently identified a plugin that did this for no real reason; this would have helped.

Daniel Beck added a comment - 2017-06-22 18:47 abayer recently identified a plugin that did this for no real reason; this would have helped.

Assignee:: vjuranek

Reporter:: Ed Randall

Votes:: 2 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2015-02-09 17:02

Updated:: 2017-06-22 18:47

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2015-02-09 18:14

Expand comment: Daniel Beck added a comment - 2015-02-09 18:14

Collapse comment: Daniel Beck added a comment - 2017-04-10 20:51

Expand comment: Daniel Beck added a comment - 2017-04-10 20:51

Collapse comment: Ed Randall added a comment - 2017-04-11 07:19, Edited by Ed Randall - 2017-04-11 07:24

Expand comment: Ed Randall added a comment - 2017-04-11 07:19, Edited by Ed Randall - 2017-04-11 07:24

Collapse comment: Daniel Beck added a comment - 2017-06-22 18:47

Expand comment: Daniel Beck added a comment - 2017-06-22 18:47

People

Dates