Security - Pipeline parameterized credentials can be reused by other users

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Security - Pipeline parameterized credentials can be reused by other users

Sarfroz Basha
Hi All,

This is Sarfroz Basha.. I'm Working on T-Systems ICT INDIA PVT LTD company. I have one risky task, Can you please help me on this.



I want to remove the ability for users of Jenkins Pipeline to be able to modify the Jenkinsfile or other loaded pipeline scripts using the Replay option.

It seems that when a build with parameterized credentials is replayed, the credentials are reused. This may allow a user who doesn't know the password to run builds he shouldn't be able to, or impersonate other users.

Example:

Parameterized release -> The deployment credentials are parameters and so they aren't visible, but they are reused when the build is replayed.



Has anyone else experienced this or similar issues? Any assistance would be greatly appreciated!




Regards,

Sarfroz Basha

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c4d84b73-90a1-476c-b0c2-74a181f12015%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Security - Pipeline parameterized credentials can be reused by other users

stuartrowe
Could you remove build permissions on that job for the users that don't know the credentials? They wouldn't be able to run the job anyways. That should also remove their ability to replay the job as far as I understand.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3a0f150e-9db6-45a0-ac39-85e0c423369b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Security - Pipeline parameterized credentials can be reused by other users

Sarfroz Basha


On Thursday, March 14, 2019 at 10:10:50 PM UTC+5:30, Stuart Rowe wrote:
Could you remove build permissions on that job for the users that don't know the credentials? They wouldn't be able to run the job anyways. That should also remove their ability to replay the job as far as I understand.


Hi,

 
Thanks for your reply.
 
Can you elaborate clearly by steps.
 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ee6b03fc-96f3-4adf-966a-d67e40dca928%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Security - Pipeline parameterized credentials can be reused by other users

stuartrowe
I can't provide you with a step by step solution as it depends on how security and authorization is configured on your Jenkins instance. You should be able to find a lot of information on controlling Jenkins job/build permissions with a quick internet search.

On Thursday, 14 March 2019 22:55:46 UTC-7, Sarfroz Basha wrote:


On Thursday, March 14, 2019 at 10:10:50 PM UTC+5:30, Stuart Rowe wrote:
Could you remove build permissions on that job for the users that don't know the credentials? They wouldn't be able to run the job anyways. That should also remove their ability to replay the job as far as I understand.


Hi,

 
Thanks for your reply.
 
Can you elaborate clearly by steps.
 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6815b1de-5ee2-4f61-bcaa-f81bb65bd09e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Security - Pipeline parameterized credentials can be reused by other users

Ivan Fernandez Calvo
By using https://wiki.jenkins.io/plugins/servlet/mobile?contentId=102662618#content/view/10266261 and removing permissions to configure jobs, maybe build also and allow only to trigger builds to some people or manage it with comments from GitHub (see https://wiki.jenkins.io/plugins/servlet/mobile?contentId=37749162#content/view/37749162) also on pipeline multibranch projects you ha be options to only trust on the jenkinsfile from the master branch

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ab8f9e95-a399-4470-a936-1c7cc75867a5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Security - Pipeline parameterized credentials can be reused by other users

Cyrille Le Clerc
@ivan I am very interested in this topic and I get a 404 on your first link. Can you please verify the URL and maybe share a "non mobile" URL.

On Saturday, March 16, 2019 at 4:48:12 PM UTC, Ivan Fernandez Calvo wrote:
By using <a href="https://wiki.jenkins.io/plugins/servlet/mobile?contentId=102662618#content/view/10266261" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fplugins%2Fservlet%2Fmobile%3FcontentId%3D102662618%23content%2Fview%2F10266261\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGyGjg4YCGcTlr2oZiNGUccSvA3FA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fplugins%2Fservlet%2Fmobile%3FcontentId%3D102662618%23content%2Fview%2F10266261\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGyGjg4YCGcTlr2oZiNGUccSvA3FA&#39;;return true;">https://wiki.jenkins.io/plugins/servlet/mobile?contentId=102662618#content/view/10266261 and removing permissions to configure jobs, maybe build also and allow only to trigger builds to some people or manage it with comments from GitHub (see <a href="https://wiki.jenkins.io/plugins/servlet/mobile?contentId=37749162#content/view/37749162" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fplugins%2Fservlet%2Fmobile%3FcontentId%3D37749162%23content%2Fview%2F37749162\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH43hZ0mrbheiQocj3jhmWhfTEAEQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwiki.jenkins.io%2Fplugins%2Fservlet%2Fmobile%3FcontentId%3D37749162%23content%2Fview%2F37749162\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNH43hZ0mrbheiQocj3jhmWhfTEAEQ&#39;;return true;">https://wiki.jenkins.io/plugins/servlet/mobile?contentId=37749162#content/view/37749162) also on pipeline multibranch projects you ha be options to only trust on the jenkinsfile from the master branch

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/e5f5fe3b-35a1-44cd-a078-98c463ccc4df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Security - Pipeline parameterized credentials can be reused by other users

Jenn Briden-2
I am also interested in learning more. My understanding is that this is a permissions issue on the Item and not really pipeline. Please correct me if I misunderstood.

On Sun, Mar 17, 2019 at 9:11 AM Cyrille Le Clerc <[hidden email]> wrote:
@ivan I am very interested in this topic and I get a 404 on your first link. Can you please verify the URL and maybe share a "non mobile" URL.

On Saturday, March 16, 2019 at 4:48:12 PM UTC, Ivan Fernandez Calvo wrote:
By using https://wiki.jenkins.io/plugins/servlet/mobile?contentId=102662618#content/view/10266261 and removing permissions to configure jobs, maybe build also and allow only to trigger builds to some people or manage it with comments from GitHub (see https://wiki.jenkins.io/plugins/servlet/mobile?contentId=37749162#content/view/37749162) also on pipeline multibranch projects you ha be options to only trust on the jenkinsfile from the master branch

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/e5f5fe3b-35a1-44cd-a078-98c463ccc4df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAOC%3D136YKecmM8eQ2frJ9T5%3DD-tNfNCqgvaEzF_G%3Dvkf4Nb_8w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Security - Pipeline parameterized credentials can be reused by other users

Ivan Fernandez Calvo

Multibranch pipeline with defaults https://plugins.jenkins.io/pipeline-multibranch-defaults and Pipeline Github plugin https://github.com/jenkinsci/pipeline-github-plugin  the first allow you to set a Jenkinsfile by default on Multibranch projects so you can have the Jenkinsfile outside of the project repo in another repo that you manage with other permissions, the second allows you to interact with GitHub, I use it to check permissions and other stuff in GitHub before to start the build, to trigger build with comments, and check reviews, I make all this stuff on a pipeline shared library that probably we make public at some point.


El lun., 18 mar. 2019 a las 6:55, Jenn Briden (<[hidden email]>) escribió:
I am also interested in learning more. My understanding is that this is a permissions issue on the Item and not really pipeline. Please correct me if I misunderstood.

On Sun, Mar 17, 2019 at 9:11 AM Cyrille Le Clerc <[hidden email]> wrote:
@ivan I am very interested in this topic and I get a 404 on your first link. Can you please verify the URL and maybe share a "non mobile" URL.

On Saturday, March 16, 2019 at 4:48:12 PM UTC, Ivan Fernandez Calvo wrote:
By using https://wiki.jenkins.io/plugins/servlet/mobile?contentId=102662618#content/view/10266261 and removing permissions to configure jobs, maybe build also and allow only to trigger builds to some people or manage it with comments from GitHub (see https://wiki.jenkins.io/plugins/servlet/mobile?contentId=37749162#content/view/37749162) also on pipeline multibranch projects you ha be options to only trust on the jenkinsfile from the master branch

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/QS8VKelHR2E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAOC%3D136YKecmM8eQ2frJ9T5%3DD-tNfNCqgvaEzF_G%3Dvkf4Nb_8w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKo5QrrnHSrj2tz6evHkF%2BhWvut5BqriYRupGzzETDYrNx9qpQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.