[JENKINS-72585] Using JENKINS_HTTPS_KEYSTORE_PASSWORD exposes keystore password in process list

Type: Bug
Resolution: Unresolved
Priority: Major
Component/s: packaging
Labels:
None
Environment:
Rocky Linux 9.3
Jenkins 2.441 installed from RPM

Similar Issues:
Powered by SuggestiMate

Show

If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters talks about sensitive parameters, specifically about --httpsKeystorePassword, and recommends the use of --paramsFromStdIn
but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use --paramsFromStdIn if JENKINS_HTTPS_KEYSTORE_PASSWORD is set.

Vilius created issue - 2024-01-21 17:01

Vilius made changes - 2024-01-21 17:04

Description

Original: If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters talks about sensitive parameters, specifically about `--httpsKeystorePassword`, and recommends the use of `--paramsFromStdIn` but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use `--paramsFromStdIn` if `--httpsKeystorePassword` is set.

New: If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

[https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters] talks about sensitive parameters, specifically about --httpsKeystorePassword, and recommends the use of --paramsFromStdIn
but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use --paramsFromStdIn if --httpsKeystorePassword is set.

Vilius made changes - 2024-01-21 17:05

Description

Original: If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

[https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters] talks about sensitive parameters, specifically about --httpsKeystorePassword, and recommends the use of --paramsFromStdIn
but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use --paramsFromStdIn if --httpsKeystorePassword is set.

New: If Jenkins is installed from RPM and systemd unit has JENKINS_HTTPS_KEYSTORE_PASSWORD set, this exposes keystore password in the process list.

[https://www.jenkins.io/doc/book/installing/initial-settings/#miscellaneous-parameters] talks about sensitive parameters, specifically about --httpsKeystorePassword, and recommends the use of --paramsFromStdIn
but Jenkins' own systemd starter doesn't follow that.

IMO, Jenkins systemd starter script should use --paramsFromStdIn if JENKINS_HTTPS_KEYSTORE_PASSWORD is set.

Basil Crow made changes - 2024-01-24 00:11

Component/s		New: packaging [ 20120 ]
Component/s	Original: core [ 15593 ]

Jenkins

Details

Description

Attachments

Activity

People

Dates