That would assuage my concerns significantly. On Thu, Jan 16, 2020 at 3:43 AM Daniel Beck <db...@cloudbees.com> wrote: > > > > On Wed, Jan 15, 2020 at 9:00 PM Matt Sicker <msic...@cloudbees.com> wrote: >>> >>> Plugins that contribute to the settings on on the Configure Jenkins page >>> should carefully consider if allowing a user with only Jenkins.CONFIGURE >>> could result in an unintended privelege escalation. >> >> >> To me, this sounds like a fairly onerous requirement for plugins. Based on >> the numerous published security advisories just around plugins not bothering >> with a permission check in the first place, this sounds like a fairly large >> hole. How could we mitigate that? > > > The difference is that much of that comes from bad (permissive) defaults. > This would be opt-in, and with good documentation about security > considerations, plugin maintainers will be given the tools to understand > whether it makes sense to make this available, or not. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtL5X07BBvtorwR5t8%3DO%3D8mHdGkkX79YqKYrMixoF7yLrw%40mail.gmail.com.
-- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4ow7hyKRDWUK4qB71Y3tsOhMxfkUfM9ZE1%3DaGvpwKpD58Q%40mail.gmail.com.
