Jenkins : JENKINS-28298

Fixed in authorize-project-plugin 1.2.0. (Requires Jenkins > 1.625)

Abstract

  • Authorize Project plugin provides a feature "Run as specific user" to have run builds as a specified user.
  • "Run as specific user" requires authentication to configure.
  • Unfortunately, Remote access API (aka WebAPI) and Jenkins CLI can bypass that authentication and users with configuration privileges can have run builds as any users (JENKINS-28298).
  • This page describes details and a workaround for that problem.

Jenkins instances affected by JENKINS-28298.

Users meeting ALL following conditions are affected by this problem:

  • Installs authorize-project-plugin.
  • Enables "Run as specific user" in Global Security Configuration.
    • The feature for enabiling / disabling a specific strategy is introdiced since authorize-project 1.1.0.
    • Authorize-project < 1.1.0 always meet this condition.
  • Using Jenkins >= 1.532.3 or >= 1.545.
    • That is, the change in 1.545 was backported to 1.532.3.

How to avoid JENKINS-28298.

You have to disable BOTH remote access API and CLI to avoid JENKINS-28298.

Disabling remote access API (example configuration with apache HTTP server 2.4)

  • Jenkins doesn't provide an option to disable Remote access API. You have to disable that by limiting accesses to URLs for remove access APIs.
  • This is an example configuration with apache HTTP server 2.4
    ProxyPass /jenkins http://localhost:8080/jenkins
    ProxyPassReverse /jenkins http://localhost:8080/jenkins
    
    <LocationMatch "^/jenkins/.*/config.xml$">
      <Limit POST>
        Require all denied
        # for httpd <= 2.2
        # Order deny,allow
        # Deny from all
      </Limit>
    </LocationMatch>
    

Disabling CLI

Status of authorize-project for the problem

How to reproduce the problem

Following Jenkins users are used in these examples:

User

Password

Privileges

Comment

admin

(unknown)

Administrative

 

devel

devel

Configure a job

he / she can configure a job run as his own authorization, but cannot (should not) configure it run as admin.

Reproduce with remote access API

  1. Test that "devel" cannot configure authorize-project for "admin"
    1. Create a new free-style project "JENKINS-28298"
    2. Check "Configure Build Authorization"
    3. Check "Run as Specific User"
    4. Enter "admin" for "User ID"
    5. Leave empty for "Password"
    6. Save the configuration. It will cause an error for failure of authentication.
  2. Create a project that run as "devel"
    1. Create a new free-style project "JENKINS-28298"
    2. Check "Configure Build Authorization"
    3. Check "Run as Specific User"
    4. Enter "devel" for "User ID"
    5. Save the configuration.
  3. retreive current config.xml via remote access API
    curl -u devel:devel -o config.xml http://[path to your jenkins]/job/JENKINS-28298/config.xml
    
  4. modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml with an editor.
  5. Overwrite the configuration via remote access API
    curl -u devel:devel -d @config.xml http://[path to your jenkins]/job/JENKINS-28298/config.xml
    
  6. Open the configuration page. The project is configured to run as "admin".

Reproduce with CLI

  1. Parepare a job "JENKINS-28298" as in #Reproduce with remote access API
  2. retreive jenkins-cli.jar
    curl -o jenkins-cli.jar http://[path to your jenkins]/jnlpJars/jenkins-cli.jar
    
  3. retreive current config.xml via CLI.
    java -jar jenkins-cli.jar -s http://[path to your jenkins]/ get-job JENKINS-28298 --username devel --password devel > config.xml
    
    • If it fails with No such job 'JENKINS-28298', you might need to grant Overall.Read and Job.Read to anonymous users for JENKINS-12543.
  4. modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml
  5. Overwrite the configuration via CLI.
    java -jar jenkins-cli.jar -s http://[path to your jenkins]/ update-job JENKINS-28298 --username devel --password devel < config.xml
    
  6. Open the configuration page. The project is configured to run as "admin".