Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If you convinced yourself that this is the right thing to do, you can go to http://jenkins/configureSecurity and uncheck "Enable Agent → Master Access Control" option. This setting is remembered by $JENKINS_HOME/secrets/slave-to-master-security-kill-switch. The file should either contain true or false as the content (when the kill-switch is set to false, it means that Agent → Master Access Control is Control is enabled). If you do not want this be configurable by an administrator, you can make this file read-only for Jenkins.

...

Note

Your Jenkins deployment may grow over time and start accepting less trusted agents. It's too easy for that to happen without you remembering this flag. So be careful when you do this. Please revisit this later to see if you can should enable this subsystem.

Anchor
whitelist
whitelist

...

Until all such plugins are properly updated, administrators can mark specific commands as intended to be executed on a master. We call this "whitelisting"."

Administrators can whitelist classes by writing $JENKINS_HOME/secrets/whitelisted-callables.d/*.conf and listing command names in separate lines. All such files are read and the result gets combined. Jenkins by itself generates default.conf in this directory, which lists known safe commands. This file gets always overwritten by Jenkins every time it starts, but if you do not want to whitelist these classes for some reasons, you can do so by placing a file that's not writable by Jenkins.

...

No Format
# To avoid hassle of escaping every '\' on Windows, you can use / everywhere, even on Windows.
deny all <JENKINS_HOME>/secrets/.*
allow all <JENKINS_HOME>/.*

...

Rules are read from $JENKINS_HOME/secrets/filepath-filters.d/*.conf after sorting these files in alphabetical order.

Jenkins by itself generates 30-default.conf in this directory, which lists rules that the Jenkins core developers currently think that is are the best balance between compatibility and security. This file gets always overwritten by Jenkins every time it starts, but if you do not want to whitelist these classes for some reasons, you can do so by placing a file file with that name that's not writable by Jenkins.

...

When a file access is checked, the path of a file being considered is absolutized (i.e., can be /foo/bar/zot but not ./zot). It is also normalized to remove all the intermediate "." and "..". So a regular expression /foo/bar/zot.* may will never match /foo/bar/zot/../../../etc/passwd, and likewise a regular expression /foo/bar/../zot/.+ will never match /foo/zot/bar.

...

When submitted, these changes are written back to disk and then re-read right away into Jenkins, including all whitelisted-callables.d/*.conf and filepath-filters.d/*.conf files.

Anchor
dev
dev

I'm a plugin developer. What should I do?

...

For this purpose, the remoting library has added the RoleSensitive interface that has a new with a checkRoles() method. Callable, FileCallable, and other similar interfaces now extend from this interface. So if you are directly implementing Callable you will get an error saying that you have unimplemented abstract methods.

...

When marking Callable for agent → master, a care has to be taken to ensure that the implementation is not exploitable by malicious agents.

...

To solve this problem, we've developed SECURITY-144-compat module. This module let you classify Callable, while still functioning correctly on earlier versions of Jenkins. See the documentation of SECURITY-144-compat for details.

Note
titleNote

As of version 1.1, this library is deprecated, as its use caused some unresolved problems (JENKINS-25625).
Anyway 1.580.1 is now a fairly conservative choice of baseline: you will not exclude so many users by requiring it for new plugin releases.

...

Code Block
java
java
// PROBLEMATIC
class MySCM extends SCM {
    ...
    public void checkout( ..., FilePath workspace, File _changelogFile ) {
        FilePath changelogFile = new FilePath(_changelogFile);
        workspace.act(new Callable<Void,IOException>() {
            public Void call() {
                // this results in aan agent asking the master to open a file for write
                try (OutputStream os = changelogFile.write()) {
                    writeStuffTo(os);
                }
            }
        });
    }
}

// GOOD
class MySCM extends SCM {
    ...
    public void checkout( ..., FilePath workspace, File _changelogFile ) {
        try (final OutputStream out = new RemoteOutputStream(_changelogFile)) {
            workspace.act(new Callable<Void,IOException>() {
                public Void call() {
                    // agent is just writing to a pipe to the master. Quite safe
                    writeStuffTo(out);
                }
            });
        }
    }
}

...

If you have questions, please write to jenkinsci-dev@googlegroups.com, or talk to us in on IRC.