[JIRA] (JENKINS-12197) Security hole when using IPS distribution on Solaris

Tue, 14 Feb 2012 07:35:53 -0800 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=159000#comment-159000
 ] 

Ulli Hafner commented on JENKINS-12197:
---------------------------------------

Integrated in !http://faktorzehn.org:8081/images/16x16/blue.png! [Jenkins 
Analysis Plug-ins (Compile) 
#381|http://faktorzehn.org:8081/job/Jenkins%20Analysis%20Plug-ins%20(Compile)/381/]
     [JENKINS-12197] Added logging of the used reference build. (Revision 
4e0415e9c3cd00a919d1693fcec2d2aaab8fb2d3)

     Result = SUCCESS
                
> Security hole when using IPS distribution on Solaris
> ----------------------------------------------------
>
>                 Key: JENKINS-12197
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12197
>             Project: Jenkins
>          Issue Type: Bug
>          Components: core, infrastructure
>    Affects Versions: current
>         Environment: Solaris 11 Express, Solaris 11
>            Reporter: Thorsten Heit
>            Assignee: Kohsuke Kawaguchi
>            Priority: Critical
>              Labels: jenkins
>
> When you install Jenkins on Solaris 11 Express by using the IPS distribution 
> (see 
> https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+OpenSolaris),
>  a default manifest file is automatically provided. When you import it into 
> SMF without adapting it and then start Jenkins, the instance is being run 
> under the root account because of the following credentials in the manifest 
> XML that are used for executing the process:
> {noformat}
>                       <method_credential user='root' group='root' />
> {noformat}
> A misbehaving process could eventually destroy the whole system Jenkins is 
> running on...
> I suggest to change the above line to either make use of the user "webservd" 
> or better "nobody"; the latter one normally has no rights. The group 
> credentials should also be changed:
> {noformat}
> --- jenkins.xml.orig  2011-12-21 20:21:06.000000000 +0100
> +++ jenkins.xml       2011-12-21 23:37:10.000000000 +0100
> @@ -37,7 +37,7 @@
>               </dependency>
>  
>               <method_context>
> -                     <method_credential user='root' group='root' />
> +                     <method_credential user='nobody' group=':default' />
>                       <method_environment>
>                               <envvar name='PATH' 
> value='/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/local/bin:/usr/local/sbin:/usr/sfw/bin'
>  />
>                               <envvar name='JENKINS_HOME' 
> value='/var/lib/jenkins' />
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to