• Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • pipeline
    • Jenkins ver. 2.164.1 LTS
      java version "1.8.0_131"

      Node-based security is ignored in Pipelines. Restricting "build" on a node to specific users has no effect.

      Reproduction:

      1. Create a node, let's say "test-node"
      2. Use restrictions to end up with a user that has access to Jenkins and can create pipelines but does not have "build" permission on that node
      3. Create a new job of type pipeline and add this code to it:
      node('test-node') { sh 'ls -la ..' }
       
      1. No matter which user will start this job, he will be allowed to do it and be able to read files on that node. I would expect that running the job is denied for users who do not have "build" access to that node.

      That opens up the problem that users who are allowed to create jobs (which is not generally a bad idea) can use this to spy on nodes they are not allowed to use.

          [JENKINS-56617] Node-based security is ignored with pipelines

          Oleg Nenashev added a comment -

          konzertheld do you have the Authorize Project plugin configured on your instance? Without it Computer.BUILD permission does nothing for Pipeline or Freestyle jobs

          Oleg Nenashev added a comment - konzertheld do you have the Authorize Project plugin configured on your instance? Without it Computer.BUILD permission does nothing for Pipeline or Freestyle jobs

          Jesse Glick added a comment -

          First of all, do not report even suspected security vulnerabilities in the public tracker. See the guidelines.

          As oleg_nenashev pointed out, builds have unrestricted permissions unless you do something to restrict them, by installing and configuring the Authorize Project plugin.

          Jesse Glick added a comment - First of all, do not report even suspected security vulnerabilities in the public tracker. See the guidelines . As oleg_nenashev pointed out, builds have unrestricted permissions unless you do something to restrict them, by installing and configuring the Authorize Project plugin.

          oleg_nenashev How could I have known this?

          jglick I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there (they should, propably). Also, this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin you mentioned - I can confirm it worked.

          Thanks for your answers though. My problem is solved, I just wonder how we can protect other users from running into the same problems.

          Christian Gredig added a comment - oleg_nenashev How could I have known this? jglick I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there (they should, propably). Also, this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin you mentioned - I can confirm it worked. Thanks for your answers though. My problem is solved, I just wonder how we can protect other users from running into the same problems.

          Jesse Glick added a comment -

          How could I have known this?

          We are already working on improved documentation and runtime alerts in this area.

          I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there

          Hmm. Can you give me an example URL?

          this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin

          Arguably yes, but we have not yet devised a way of enforcing full protection from the start without breaking thousands of Jenkins installations trying to upgrade, which is why we are starting with administrative notifications.

          Jesse Glick added a comment - How could I have known this? We are already working on improved documentation and runtime alerts in this area. I read the reporting guidelines one is linked to when opening an issue, the vulnerability guidelines are not linked there Hmm. Can you give me an example URL? this kind of actually is a security issue, isn't it? Even if it can be fixed by installing the plugin Arguably yes, but we have not yet devised a way of enforcing full protection from the start without breaking thousands of Jenkins installations trying to upgrade, which is why we are starting with administrative notifications.

          Jesse Glick added a comment -

          See discussion surrounding JENKINS-24513 for example.

          Jesse Glick added a comment - See discussion surrounding JENKINS-24513 for example.

          Oleg Nenashev added a comment -

          FTR my slides about common security pitfalls in Jenkins, slide 76 and further https://static.sched.com/hosted_files/devopsworldjenkinsworld2018/5f/DWJW2018_CommonSecurityPitfalls.pdf 

          As jglick mentioned, JENKINS-24513 is probably the starting point for the discussion. In Jenkins 2.168 Daniel Beck has added an administrative monitor to make this situation explicit

          Oleg Nenashev added a comment - FTR my slides about common security pitfalls in Jenkins, slide 76 and further  https://static.sched.com/hosted_files/devopsworldjenkinsworld2018/5f/DWJW2018_CommonSecurityPitfalls.pdf   As jglick mentioned,  JENKINS-24513 is probably the starting point for the discussion. In Jenkins 2.168 Daniel Beck has added an administrative monitor to make this situation explicit

          Daniel Beck added a comment -

          We are already working on improved documentation and runtime alerts in this area.

          Specifically, the latest weeklies contain UI notifying admins about this. See https://user-images.githubusercontent.com/1831569/53601162-b2663580-3bab-11e9-9da8-93043aaf369c.png for how this looks like at the first stage. It links to https://jenkins.io/doc/book/system-administration/security/build-authorization/

          Hmm. Can you give me an example URL?

          The description of "Summary" in the Create Issue screen links to https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue and I'm really happy someone's actually reading this

          That said, https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue#Howtoreportanissue-Creatingtheissue says to report security issues in the Security project in Jira. It's less big, bold, and red than it could be, but at some point all that's left is big, bold, and red instructions. Perhaps this makes the cut to be bold and red? Suggestions (or edits) welcome.

          Daniel Beck added a comment - We are already working on improved documentation and runtime alerts in this area. Specifically, the latest weeklies contain UI notifying admins about this. See https://user-images.githubusercontent.com/1831569/53601162-b2663580-3bab-11e9-9da8-93043aaf369c.png for how this looks like at the first stage. It links to https://jenkins.io/doc/book/system-administration/security/build-authorization/ Hmm. Can you give me an example URL? The description of "Summary" in the Create Issue screen links to https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue and I'm really happy someone's actually reading this That said, https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue#Howtoreportanissue-Creatingtheissue says to report security issues in the Security project in Jira. It's less big, bold, and red than it could be, but at some point all that's left is big, bold, and red instructions. Perhaps this makes the cut to be bold and red? Suggestions (or edits) welcome.

          Ah, now I see the entry for the security project! Thanks for the explanation and sorry for disregarding it in the first place. I am also looking forward to the admin UI enhancements. And yes, maybe the security hint might make the "bold red" list.

          Christian Gredig added a comment - Ah, now I see the entry for the security project! Thanks for the explanation and sorry for disregarding it in the first place. I am also looking forward to the admin UI enhancements. And yes, maybe the security hint might make the "bold red" list.

            Unassigned Unassigned
            konzertheld Christian Gredig
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: