[JIRA] (JENKINS-12197) Security hole when using IPS distribution on Solaris

Wed, 15 Feb 2012 01:18:43 -0800 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=159089#comment-159089
 ] 

dogfood commented on JENKINS-12197:
-----------------------------------

Integrated in !http://ci.jenkins-ci.org/images/16x16/blue.png! 
[plugins_analysis-core 
#10407|http://ci.jenkins-ci.org/job/plugins_analysis-core/10407/]
     [JENKINS-12197] Added logging of the used reference build. (Revision 
4e0415e9c3cd00a919d1693fcec2d2aaab8fb2d3)

     Result = SUCCESS
Ulli Hafner : 
Files : 
* src/main/java/hudson/plugins/analysis/core/HealthAwarePublisher.java
* src/main/java/hudson/plugins/analysis/core/HealthAwareReporter.java
* src/main/java/hudson/plugins/analysis/core/BuildResultEvaluator.java
* src/main/java/hudson/plugins/analysis/core/BuildResult.java

                
> Security hole when using IPS distribution on Solaris
> ----------------------------------------------------
>
>                 Key: JENKINS-12197
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12197
>             Project: Jenkins
>          Issue Type: Bug
>          Components: core, infrastructure
>    Affects Versions: current
>         Environment: Solaris 11 Express, Solaris 11
>            Reporter: Thorsten Heit
>            Assignee: Kohsuke Kawaguchi
>            Priority: Critical
>              Labels: jenkins
>
> When you install Jenkins on Solaris 11 Express by using the IPS distribution 
> (see 
> https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+OpenSolaris),
>  a default manifest file is automatically provided. When you import it into 
> SMF without adapting it and then start Jenkins, the instance is being run 
> under the root account because of the following credentials in the manifest 
> XML that are used for executing the process:
> {noformat}
>                       <method_credential user='root' group='root' />
> {noformat}
> A misbehaving process could eventually destroy the whole system Jenkins is 
> running on...
> I suggest to change the above line to either make use of the user "webservd" 
> or better "nobody"; the latter one normally has no rights. The group 
> credentials should also be changed:
> {noformat}
> --- jenkins.xml.orig  2011-12-21 20:21:06.000000000 +0100
> +++ jenkins.xml       2011-12-21 23:37:10.000000000 +0100
> @@ -37,7 +37,7 @@
>               </dependency>
>  
>               <method_context>
> -                     <method_credential user='root' group='root' />
> +                     <method_credential user='nobody' group=':default' />
>                       <method_environment>
>                               <envvar name='PATH' 
> value='/usr/bin:/usr/sbin:/usr/ccs/bin:/usr/local/bin:/usr/local/sbin:/usr/sfw/bin'
>  />
>                               <envvar name='JENKINS_HOME' 
> value='/var/lib/jenkins' />
> {noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to