I am +1 for deprecating them. All major plugins already hide them by default, and we have a security advisory for it. https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions and below
BR, Oleg On Monday, December 9, 2019 at 5:30:32 PM UTC+1, Michael Cirioli wrote: > > These permissions have been effectively hidden (unless specifically > enabled) since 2017-4-10 see -> SECURITY-410 > <https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions>). > > Work is underway to introduce a more sensible permission segregation that > allows the delegation of limited administrative capabilities in a secure > manner (see https://github.com/jenkinsci/jep/pull/249), and it seems > reasonable to officially begin to phase out the usage of these permissions. > > A WIP PR is available for review ( > https://github.com/jenkinsci/jenkins/pull/4365), as well as an associated > issues (https://issues.jenkins-ci.org/browse/JENKINS-60406). If this PR > is accepted, I expect to create an additional PR against the matrix-auth > plugin that removes support for enabling the legacy behavior described in > SECURITY-410 > <https://jenkins.io/security/advisory/2017-04-10/#matrix-authorization-strategy-plugin-allowed-configuring-dangerous-permissions> > : > > If you want to retain the old, unsafe behavior, set the system property >> hudson.security.GlobalMatrixAuthorizationStrategy.dangerousPermissions to >> true. >> The plugin retains permissions configured before upgrading, so there >> should be no changes in behavior afterwards. >> > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/b5be70a0-afec-4914-8171-c22afb8377ac%40googlegroups.com.
