How to disable Jenkins script console?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to disable Jenkins script console?

Anna Freiholtz
Hi,

I would like to disable the possibility to Jenkins script console? But how do I do that?

Best regards,
Anna

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5927023e-d120-40bf-9579-bba0f0db156a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Jenkins script console?

stephenconnolly
You could use an init.groovy script to remove the management link extension from the list of management link extensions. That will remove access to the HTML page. Keep in mind that there is a CLI command that offers the same functionality, so you'd need to cull that one also. There may also be other paths to that functionality so do not take the above as a complete solution.

On 13 November 2017 at 00:55, Anna Freiholtz <[hidden email]> wrote:
Hi,

I would like to disable the possibility to Jenkins script console? But how do I do that?

Best regards,
Anna

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5927023e-d120-40bf-9579-bba0f0db156a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CA%2BnPnMw7Rahor2vPc35ZTRi9XxJBPrYtLCnuDHjLrTAJLij%2B5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: How to disable Jenkins script console?

Daniel Beck

> On 13. Nov 2017, at 10:16, Stephen Connolly <[hidden email]> wrote:
>
> You could use an init.groovy script to remove the management link extension from the list of management link extensions. That will remove access to the HTML page.

Did you try that? I would be surprised if this worked given that Jenkins#doScript does all the work, so /script URL should still be served.

> Keep in mind that there is a CLI command that offers the same functionality, so you'd need to cull that one also. There may also be other paths to that functionality so do not take the above as a complete solution.

The affected functionality:
- /script, /scriptText, /eval (sort of) URLs, and /computer/(whatever)/script and /computer/(whatever)/scriptText URLs
- groovy and groovysh CLI commands (can probably be deregistered)

UI:
- Link in Manage Jenkins (can probably be deregistered)
- Link in Computer sidepanel (cannot be deregistered)

I have a proposal PR at https://github.com/jenkinsci/jenkins/pull/3006 that does those things and I plan to make it a JEP. In the mean time, a combination of init.groovy.d scripting and reverse proxy request filtering should do it.

This all assumes you don't want to actually remove the permission to these scripts from admins to retain for example the 'In-Process Script Approval' functionality, and other scripting features provided by plugins. If you want to remove all of those, and not allow any 'system' scripting even for admins, you'll need a plugin that does not grant Overall/Run Scripts to users who have Overall/Administer. I'm not aware of any plugins that do this currently, so you'll need to fork one and add this (Permission#impliedBy is final, so cannot be scripted away).

Daniel

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/C120EBCC-CF6A-42E0-901D-D354A236E698%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.