• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • ec2-plugin
    • None

      After upgrade to 2.86 plugin need extra permission for dynamic script  to make slave online via ssh connection. 

      I can not use "In-process Script Approval" because this script look like 
      'ssh user@123.212.12.232 ....' and it is dynamic! 

          [JENKINS-47593] can not to be online without permission

          Jesse Glick added a comment -

          Seems an issue with EC2UnixLauncher.

          Jesse Glick added a comment - Seems an issue with EC2UnixLauncher .

          Matt Zeemann added a comment -

          While this gets fixed, are there any known workarounds? 

          Matt Zeemann added a comment - While this gets fixed, are there any known workarounds? 

          Piotr Perzyna added a comment -

          Yes, i have!  You can use native java ssh - just uncheck ssh option in config

          Piotr Perzyna added a comment - Yes, i have!  You can use native java ssh - just uncheck ssh option in config

          Since the script to validate is well-known, and the arguments are dynamic (therefore hard to approve), should the plugin use the constructor that pre-approves the script?   

          https://github.com/jenkinsci/command-launcher-plugin/blob/master/src/main/java/hudson/slaves/CommandLauncher.java#L82-L87 

          Chris Kulinski added a comment - Since the script to validate is well-known, and the arguments are dynamic (therefore hard to approve), should the plugin use the constructor that pre-approves the script?    https://github.com/jenkinsci/command-launcher-plugin/blob/master/src/main/java/hudson/slaves/CommandLauncher.java#L82-L87  

          We needed to use the "ssh option" in config, so we patched `EC2UnixLauncher` to use the other constructor for `CommandLauncher`

          We also had to install the new command-launcher-plugin.  It seems the code likely gets a ClassNotFoundException for CommandLauncher, since its been moved to its own plugin. 

          Chris Kulinski added a comment - We needed to use the "ssh option" in config, so we patched `EC2UnixLauncher` to use the other constructor for `CommandLauncher` We also had to install the new command-launcher-plugin.  It seems the code likely gets a ClassNotFoundException for CommandLauncher, since its been moved to its own plugin. 

          Daniel Beck added a comment -

          kulinski This should not be happening; Jenkins should identify an upgrade and install newly detached plugins. Please file a new issue and file as many details as possible; ideally steps to reproduce and logs of the first Jenkins startup after update. Ping me in the description or a comment.

          Daniel Beck added a comment - kulinski This should not be happening; Jenkins should identify an upgrade and install newly detached plugins. Please file a new issue and file as many details as possible; ideally steps to reproduce and logs of the first Jenkins startup after update. Ping me in the description or a comment.

          Jesse Glick added a comment -

          To be clear, the “this” that should not be happening is the NoClassDefFoundError or whatever it is. The need to manually approve a command-line launch string is an acknowledged issue.

          Jesse Glick added a comment - To be clear, the “this” that should not be happening is the NoClassDefFoundError or whatever it is. The need to manually approve a command-line launch string is an acknowledged issue.

          Code changed in jenkins
          User: Wadeck Follonier
          Path:
          src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java
          http://jenkins-ci.org/commit/ec2-plugin/ae2bf458ecad2a84d0d9a5f899977f4a6da82af6
          Log:
          JENKINS-47593[SECURITY-643] Allow command to be run without approval

          • use the second constructor of CommandLauncher to avoid being blocked by the security fix

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Wadeck Follonier Path: src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java http://jenkins-ci.org/commit/ec2-plugin/ae2bf458ecad2a84d0d9a5f899977f4a6da82af6 Log: JENKINS-47593 [SECURITY-643] Allow command to be run without approval use the second constructor of CommandLauncher to avoid being blocked by the security fix

          Daniel Beck added a comment -

          Daniel Beck added a comment - This was fixed as part of the 1.38 security update for the EC2 plugin.

          Code changed in jenkins
          User: Francis Upton IV
          Path:
          pom.xml
          src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java
          src/main/java/hudson/plugins/ec2/SlaveTemplate.java
          src/main/java/hudson/plugins/ec2/UnixData.java
          src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java
          src/main/resources/hudson/plugins/ec2/Messages.properties
          http://jenkins-ci.org/commit/ec2-plugin/180f7d0eae6031d67259a5d86d9d7d382f9eb05b
          Log:
          Jenkins 47593 avoid script block (#253)

          • JENKINS-47593[SECURITY-643] Allow command to be run without approval
          • use the second constructor of CommandLauncher to avoid being blocked by the security fix
          • - adding permission check on unsafe parameter modification
          • adding warning message in case someone is modifying the unsafe parameters
          • - also put the right check on the readResolve
          • regroup the permission error message
          • - change name of the required permission
          • [SECURITY-643] Fix exception during start of cloud config
          • [maven-release-plugin] prepare release ec2-1.38
          • [maven-release-plugin] prepare for next development iteration

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Francis Upton IV Path: pom.xml src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java src/main/java/hudson/plugins/ec2/SlaveTemplate.java src/main/java/hudson/plugins/ec2/UnixData.java src/main/java/hudson/plugins/ec2/ssh/EC2UnixLauncher.java src/main/resources/hudson/plugins/ec2/Messages.properties http://jenkins-ci.org/commit/ec2-plugin/180f7d0eae6031d67259a5d86d9d7d382f9eb05b Log: Jenkins 47593 avoid script block (#253) JENKINS-47593 [SECURITY-643] Allow command to be run without approval use the second constructor of CommandLauncher to avoid being blocked by the security fix - adding permission check on unsafe parameter modification adding warning message in case someone is modifying the unsafe parameters - also put the right check on the readResolve regroup the permission error message - change name of the required permission [SECURITY-643] Fix exception during start of cloud config [maven-release-plugin] prepare release ec2-1.38 [maven-release-plugin] prepare for next development iteration

            wfollonier Wadeck Follonier
            pperzyna Piotr Perzyna
            Votes:
            5 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: