[JENKINS-26993] GIT Plugin requires /tmp to be mounted executable

Type: Bug
Resolution: Won't Fix
Priority: Minor
Component/s: git-plugin
Labels:
None
Environment:
2.2.12 2.2.7

Similar Issues:
Powered by SuggestiMate

Show

We believe that the jenkins GIT plugin requires the /tmp on the jenkins nodes to be executable. Is there anyway we can change this location as it is against our security policy to not have temp locked down.

Thanks, if a bug is not the correct method to report this I do apologise.

Thanks

Dave

is related to

JENKINS-50471 Linux /tmp directory mounted noexec breaks git clone

Closed

Mark Waite added a comment - 2015-02-18 00:32

This is not a bug, as far as I can tell, or at least your description does not give me confidence this is a bug.

I think you want to control where the git plugin (and possibly the rest of Jenkins) writes its temporary files. Have you tried adjusting the values of the environment variables (TMP) and properties (java.io.tmpdir) from the command line, or from the environment which starts the Jenkins server and / or the relevant slave agent? Refer to stackoverflow for one source of that information.

If you have made those adjustments and still see a requirement for a specific directory, please provided a detailed list of the steps you take to show the problem. For an even better chance of having your concerns addressed, submit a pull request to the git plugin and/or git client plugin with a test which shows the failure, and a code change which fixes the failure.

If you still believe this is a bug, please provide the additional information suggested in how to report an issue

Mark Waite added a comment - 2015-02-18 00:32 This is not a bug, as far as I can tell, or at least your description does not give me confidence this is a bug. I think you want to control where the git plugin (and possibly the rest of Jenkins) writes its temporary files. Have you tried adjusting the values of the environment variables (TMP) and properties (java.io.tmpdir) from the command line, or from the environment which starts the Jenkins server and / or the relevant slave agent? Refer to stackoverflow for one source of that information. If you have made those adjustments and still see a requirement for a specific directory, please provided a detailed list of the steps you take to show the problem. For an even better chance of having your concerns addressed, submit a pull request to the git plugin and/or git client plugin with a test which shows the failure, and a code change which fixes the failure. If you still believe this is a bug, please provide the additional information suggested in how to report an issue

Allan BURDAJEWICZ added a comment - 2017-02-24 04:44

markewaite Since version 2.0.0 of the git-client, both git SSH and HTTPS authentication requires that Jenkins has such permission on the Temporary folder.

1. User who were using HTTP/s authentication and had restriction on the temp folder would be impacted by this change.

Can we maybe add a notice/warning on the plugin documentation about this ?

2. It is common and a good practice to restrict execution on the temporary folder

Maybe we should move this file to Workspace temp folder or re-implementing in some other way that is *not forcing jenkins users to violate best practices* ?

Allan BURDAJEWICZ added a comment - 2017-02-24 04:44 markewaite Since version 2.0.0 of the git-client, both git SSH and HTTPS authentication requires that Jenkins has such permission on the Temporary folder. 1. User who were using HTTP/s authentication and had restriction on the temp folder would be impacted by this change. Can we maybe add a notice/warning on the plugin documentation about this ? 2. It is common and a good practice to restrict execution on the temporary folder Maybe we should move this file to Workspace temp folder or re-implementing in some other way that is * not forcing jenkins users to violate best practices * ?

Mark Waite added a comment - 2017-02-24 05:17 - edited

Thanks for the recommendation. You're welcome to update the documentation on the wiki to include that information.

You're also welcome to submit a pull request to propose alternate techniques for temporary file handling. Could you also include references to those locations which describe it as a common and a good practice to restrict execution on the temporary folder? That's new information for me. I'd like to read more about it.

Mark Waite added a comment - 2017-02-24 05:17 - edited Thanks for the recommendation. You're welcome to update the documentation on the wiki to include that information. You're also welcome to submit a pull request to propose alternate techniques for temporary file handling. Could you also include references to those locations which describe it as a common and a good practice to restrict execution on the temporary folder? That's new information for me. I'd like to read more about it.

Allan BURDAJEWICZ added a comment - 2017-02-24 06:15

Thanks for the answer. I am gonna update the wiki accordingly.

> Could you also include references to those locations which describe it as a common and a good practice to restrict execution on the temporary folder?

Also some documentation suggests that setting the /temp to no exec is a standard recommendation for hardening a linux machine

https://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/
https://static.open-scap.org/ssg-guides/ssg-sl7-guide-index.html)

> You're also welcome to submit a pull request to propose alternate techniques for temporary file handling.

I wanted to open the discussion about this to understand what could be the best approach.

A workaround is to set the temporary folder via the system property `-Djava.io.tmpDir=<pathToDirectory>` on the master and the agents. That way, the content executed by Jenkins is somehow contained... This is documented here: https://support.cloudbees.com/hc/en-us/articles/115003082887-Jenkins-with-Git-Client-needs-permission-on-Temporary-directory

Allan BURDAJEWICZ added a comment - 2017-02-24 06:15 Thanks for the answer. I am gonna update the wiki accordingly. > Could you also include references to those locations which describe it as a common and a good practice to restrict execution on the temporary folder? Also some documentation suggests that setting the /temp to no exec is a standard recommendation for hardening a linux machine https://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/ https://static.open-scap.org/ssg-guides/ssg-sl7-guide-index.html ) > You're also welcome to submit a pull request to propose alternate techniques for temporary file handling. I wanted to open the discussion about this to understand what could be the best approach. A workaround is to set the temporary folder via the system property `-Djava.io.tmpDir=<pathToDirectory>` on the master and the agents. That way, the content executed by Jenkins is somehow contained... This is documented here: https://support.cloudbees.com/hc/en-us/articles/115003082887-Jenkins-with-Git-Client-needs-permission-on-Temporary-directory

Mark Waite added a comment - 2017-02-24 12:31

My ultimate preference would be to not use the temporary directory for scripts, but that requires a significant change to the authentication techniques in the plugin. When submodule authentication was added in git client plugin 2.0.0, it switched from one form of using the temporary directory to another, but didn't remove the need to write sensitive information to files in the temporary directory.

There are other ways to send secrets into git which don't require that the plugin write a script (or a data file) to the file system. I started on a development line (part of PR207 and PR207 exploration) which would switch from a script in the temporary folder to a data file in the temporary folder, but have not had time to complete that work. If you're interested in that area and have time available to investigate, that would resolve other bugs as well (like the report that you can't embed an ampersand in a Linux username / password pair).

Mark Waite added a comment - 2017-02-24 12:31 My ultimate preference would be to not use the temporary directory for scripts, but that requires a significant change to the authentication techniques in the plugin. When submodule authentication was added in git client plugin 2.0.0, it switched from one form of using the temporary directory to another, but didn't remove the need to write sensitive information to files in the temporary directory. There are other ways to send secrets into git which don't require that the plugin write a script (or a data file) to the file system. I started on a development line (part of PR207 and PR207 exploration ) which would switch from a script in the temporary folder to a data file in the temporary folder, but have not had time to complete that work. If you're interested in that area and have time available to investigate, that would resolve other bugs as well (like the report that you can't embed an ampersand in a Linux username / password pair).

Allan BURDAJEWICZ added a comment - 2017-03-04 01:18

Thanks for the link to these PRs markewaite.
I updated the Wiki for Git Client plugin by the way.

Allan BURDAJEWICZ added a comment - 2017-03-04 01:18 Thanks for the link to these PRs markewaite . I updated the Wiki for Git Client plugin by the way.

Mark Waite added a comment - 2018-03-29 02:44

Another workaround is to use JGit as the git implementation instead of command line git. Add JGit as an implementation from the Global Tools configuration, then each freestyle job will include a pick-list to select the git implementation to use for that repository. Pipeline jobs can select the implementation with an argument to `checkout`

Mark Waite added a comment - 2018-03-29 02:44 Another workaround is to use JGit as the git implementation instead of command line git. Add JGit as an implementation from the Global Tools configuration, then each freestyle job will include a pick-list to select the git implementation to use for that repository. Pipeline jobs can select the implementation with an argument to `checkout`

Assignee:: Nicolas De Loof

Reporter:: David Shaw

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2015-02-17 14:04

Updated:: 2018-03-29 02:44

Resolved:: 2015-02-20 13:14

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Mark Waite added a comment - 2015-02-18 00:32

Expand comment: Mark Waite added a comment - 2015-02-18 00:32

Collapse comment: Allan BURDAJEWICZ added a comment - 2017-02-24 04:44

Expand comment: Allan BURDAJEWICZ added a comment - 2017-02-24 04:44

Collapse comment: Mark Waite added a comment - 2017-02-24 05:17, Edited by Mark Waite - 2017-02-24 05:26

Expand comment: Mark Waite added a comment - 2017-02-24 05:17, Edited by Mark Waite - 2017-02-24 05:26

Collapse comment: Allan BURDAJEWICZ added a comment - 2017-02-24 06:15

Expand comment: Allan BURDAJEWICZ added a comment - 2017-02-24 06:15

Collapse comment: Mark Waite added a comment - 2017-02-24 12:31

Expand comment: Mark Waite added a comment - 2017-02-24 12:31

Collapse comment: Allan BURDAJEWICZ added a comment - 2017-03-04 01:18

Expand comment: Allan BURDAJEWICZ added a comment - 2017-03-04 01:18

Collapse comment: Mark Waite added a comment - 2018-03-29 02:44

Expand comment: Mark Waite added a comment - 2018-03-29 02:44

People

Dates