Fixed in authorize-project-plugin 1.2.0. (Requires Jenkins > 1.625)
Abstract
- Authorize Project plugin provides a feature "Run as specific user" to have run builds as a specified user.
- "Run as specific user" requires authentication to configure.
- Unfortunately, Remote access API (aka WebAPI) and Jenkins CLI can bypass that authentication and users with configuration privileges can have run builds as any users (JENKINS-28298).
- This page describes details and a workaround for that problem.
Jenkins instances affected by JENKINS-28298.
Users meeting ALL following conditions are affected by this problem:
- Installs authorize-project-plugin.
- Enables "Run as specific user" in Global Security Configuration.
- The feature for enabiling / disabling a specific strategy is introdiced since authorize-project 1.1.0.
- Authorize-project < 1.1.0 always meet this condition.
- Using Jenkins >= 1.532.3 or >= 1.545.
- That is, the change in 1.545 was backported to 1.532.3.
How to avoid JENKINS-28298.
You have to disable BOTH remote access API and CLI to avoid JENKINS-28298.
Disabling remote access API (example configuration with apache HTTP server 2.4)
- Jenkins doesn't provide an option to disable Remote access API. You have to disable that by limiting accesses to URLs for remove access APIs.
- This is an example configuration with apache HTTP server 2.4
ProxyPass /jenkins http://localhost:8080/jenkins ProxyPassReverse /jenkins http://localhost:8080/jenkins <LocationMatch "^/jenkins/.*/config.xml$"> <Limit POST> Require all denied # for httpd <= 2.2 # Order deny,allow # Deny from all </Limit> </LocationMatch>
Disabling CLI
- Jenkins doesn't provide an option to disable CLI. You have to disable that by limiting accesses to the TCP port for CLI.
- CLI is accessed via "TCP port for JNLP slave agents": Jenkins CLI#Configuring TCP/IP port for CLI and slaves.#Connection mechanism
- It is defined randomly by default. You can bind that to a specific port in Global Secufiry Configuration: Jenkins CLI#Configuring TCP/IP port for CLI and slaves.
- You can disable the CLI by limiting accesses to that port:
iptables -A INPUT -p tcp --dport 49187 -j DROP
- You may want to allow accesses from specific hosts if you use JNLP (especially Windows slaves).
Status of authorize-project for the problem
- The fix for this is requested to Jenkins core: JENKINS-28440, https://github.com/jenkinsci/jenkins/pull/1715
- Fixed in Jenkins-1.625. (and Jenkins-1.625 is a LTS line)
- Authorize-project 1.1.0 provides an option to disable specific strategies and "Run as specific user" is disabled by default.
- I don't plan to remove "Run as specific user" as it's considered one of essential features of Authorize Project plugin.
How to reproduce the problem
Following Jenkins users are used in these examples:
User |
Password |
Privileges |
Comment |
---|---|---|---|
admin |
(unknown) |
Administrative |
|
devel |
devel |
Configure a job |
he / she can configure a job run as his own authorization, but cannot (should not) configure it run as admin. |
Reproduce with remote access API
- Test that "devel" cannot configure authorize-project for "admin"
- Create a new free-style project "JENKINS-28298"
- Check "Configure Build Authorization"
- Check "Run as Specific User"
- Enter "admin" for "User ID"
- Leave empty for "Password"
- Save the configuration. It will cause an error for failure of authentication.
- Create a project that run as "devel"
- Create a new free-style project "JENKINS-28298"
- Check "Configure Build Authorization"
- Check "Run as Specific User"
- Enter "devel" for "User ID"
- Save the configuration.
- retreive current config.xml via remote access API
curl -u devel:devel -o config.xml http://[path to your jenkins]/job/JENKINS-28298/config.xml
- modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml with an editor.
- Overwrite the configuration via remote access API
curl -u devel:devel -d @config.xml http://[path to your jenkins]/job/JENKINS-28298/config.xml
- Open the configuration page. The project is configured to run as "admin".
Reproduce with CLI
- Parepare a job "JENKINS-28298" as in #Reproduce with remote access API
- retreive jenkins-cli.jar
curl -o jenkins-cli.jar http://[path to your jenkins]/jnlpJars/jenkins-cli.jar
- retreive current config.xml via CLI.
java -jar jenkins-cli.jar -s http://[path to your jenkins]/ get-job JENKINS-28298 --username devel --password devel > config.xml
- If it fails with No such job 'JENKINS-28298', you might need to grant Overall.Read and Job.Read to anonymous users for JENKINS-12543.
- modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml
- Overwrite the configuration via CLI.
java -jar jenkins-cli.jar -s http://[path to your jenkins]/ update-job JENKINS-28298 --username devel --password devel < config.xml
- Open the configuration page. The project is configured to run as "admin".