-
Bug
-
Resolution: Unresolved
-
Minor
-
None
Oliver,
We have trying to use the latest feature of setting no_security as we got into disk issues due to logs printed by Jenkins whenever a signature is logged. We are on latest Jenkins and latest version of plugin. But somehow we are just not able to make it work. We are passing the following command line argument to JVM
-Dpermissive-script-security.enabled=no_security
Once this is set, even the plugin is not active anymore and signature errors are thrown while jobs execute.
Could you please comment if we are doing anything wrong with the setting?
[JENKINS-47570] no_security not taking effect
even i am having the same issue...
this code
[println System.getProperty("permissive-script-security.enabled", "false")
println org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist.MODE
| http://example.com] prints the output as false DISABLED |
i am assuming the way to enable this is to pass the -Dpermissive-script-security.enabled=true code to jenkins JVM
what i did is added this line here
- Options to pass to java when running Jenkins.
#
JENKINS_JAVA_OPTIONS="-Dpermissive-script-security.enabled=true -Djava.awt.headless=true"
and then did a jenkins restart
is this the correct way to enable the plugin??
Priyanka Panda
added a comment - - edited even i am having the same issue...
this code
[println System.getProperty("permissive-script-security.enabled", "false")
println org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist.MODE
http://example.com]
prints the output as
false
DISABLED
i am assuming the way to enable this is to pass the -Dpermissive-script-security.enabled=true code to jenkins JVM
what i did is added this line here
Options to pass to java when running Jenkins.
#
JENKINS_JAVA_OPTIONS="-Dpermissive-script-security.enabled=true -Djava.awt.headless=true"
and then did a jenkins restart
is this the correct way to enable the plugin?? Hmm, can you see the property listed and properly configured at https://JENKINS_URL/systemInfo? Is the option passed to the process (ps aux)? I suspect it might not be. Note the Jenkins /restart reinitializes the process as it was launched before so new options are grabbed from daemon config you seem to be using...
Priyanka Panda
added a comment - Hi olivergondza
when i check here in https://JENKINS_URL/systemInfo, i see this line
*permissive-script-security 0.3 true*
so it implies that it is enabled on my jenkins. isn't it?
but ps -aux does not give me any info about this plugin.
Also if the plugin is enabled on my jenkins,my scripts still need admin approval.
Any pointers on that?
Priyanka Panda
added a comment - Hi olivergondza
when i check here in https://JENKINS_URL/systemInfo , i see this line
*permissive-script-security 0.3 true*
so it implies that it is enabled on my jenkins. isn't it?
but ps -aux does not give me any info about this plugin.
Also if the plugin is enabled on my jenkins,my scripts still need admin approval.
Any pointers on that? I suspect it is not enabled. The line you see means the plugin is installed in version 0.3 and not disabled on plugin level (do not let the "Enabled" column confuse you). You should see the property and value true listed in "System Properties" section which you do not seem to. This, and the fact you do not see the property listed in process listing suggests that the property you are passing are not delivered to the JVM process so the whitelist is never activated. This is not a plugin issue.
On a constructive side, are you using upstart / systemd? As I said, you may need to restart the service through the service daemon to get the service config propagated as JENKINS_URL/restart has no way of achieving that.
yes, i was restarting using the URL so it was not showing up in the ps -aux processes, it shows up once i restart the jenkins through server/root user
also i see this now in systemInfo permissive-script-security.enabled true
but the plugin still does not seem to work, i am still getting the message when i try to change anything as jenkins user(not admin)
"A Jenkins administrator will need to approve this script before it can be used."
The main purpose of me installing the plugin was to disable this "script approval feature
Priyanka Panda
added a comment - - edited yes, i was restarting using the URL so it was not showing up in the ps -aux processes, it shows up once i restart the jenkins through server/root user
also i see this now in systemInfo permissive-script-security.enabled true
but the plugin still does not seem to work, i am still getting the message when i try to change anything as jenkins user(not admin)
"A Jenkins administrator will need to approve this script before it can be used."
The main purpose of me installing the plugin was to disable this "script approval feature I presume it get the plugin enabled there. Good.
Make sure you are using the whitelist and not the full script approvals.
Priyanka Panda
added a comment - but i dont think the plugin works as required. Jenkins still asks for script approvals.
why??
Priyanka Panda
added a comment - but i dont think the plugin works as required. Jenkins still asks for script approvals.
why?? priyankapanda348, because there are multiple approaches to script approval[1] (full script approval and whitelisting). Permissive script security works for whitelisting only for implementation limitations. Have you made sure you are using whitelisting and not full script approval?
[1] https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin
[2] https://wiki.jenkins.io/display/JENKINS/Permissive+Script+Security+Plugin
Hmm, what does this print when executed from JENKINS_URL/script?
println System.getProperty("permissive-script-security.enabled", "false") println org.jenkinsci.plugins.permissivescriptsecurity.PermissiveWhitelist.MODEAre you really using 0.3+ where this feature was introduced?