[JIRA] (JENKINS-12585) SECURITY: LDAP authenticated users switch accounts randomly

Tue, 27 Mar 2012 07:09:35 -0700 

    [ 
https://issues.jenkins-ci.org/browse/JENKINS-12585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160834#comment-160834
 ] 

Christian Höltje commented on JENKINS-12585:
--------------------------------------------

A better description of symptoms:

* I, as a user with admin powers, log in. After a while, I'll notice I'm logged 
in as normal user "singer". I have to log out and log back in to regain my 
normal account and admin powers.
* "bambi" and "singer" can become me by conjuring the new hover thingies and 
then going to a new page.  This includes admin powers.
* "sniper" can hit refresh repeatedly on a page and become "singer" or logged 
out. "sniper" is also an admin.

Note: The usernames have been changed to protect the guilty.
                
> SECURITY: LDAP authenticated users switch accounts randomly
> -----------------------------------------------------------
>
>                 Key: JENKINS-12585
>                 URL: https://issues.jenkins-ci.org/browse/JENKINS-12585
>             Project: Jenkins
>          Issue Type: Bug
>          Components: security
>    Affects Versions: current
>         Environment: Mac OSX: 10.6.8 Desktop
> Java version: 1.6.0_29
> Access Control
> * Security Realm: LDAP
> * Authorization: Project-based Matrix Authorization Strategy
> Jenkins: 1.448
> Apache
> * Server version: Apache/2.2.17 (Unix)
> * Server built:   Dec  1 2010 09:58:15
>            Reporter: guillermo c
>            Priority: Critical
>
> Running Jenkins behind Apache: mod_proxy with HTTPS
> https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache
> So our setup is
> Open Directory group
> jenkins-admin - Jenkins Admins all 
> dev-group-a - Developers can view kick off builds 
> Project-based Matrix Authorization Strategy
> Admin all checked
> dev-group-a checked: Overall:Read  Job:Read,Build Run:Update
> dev-group-b checked: Overall:Read  Job:Read
> issue is I'm an admin and random developer will login and see that there user 
> id is mine and can admin jenkins.
> there has been reported cases that developer A will login and actually be 
> reported by jenkins as Developer B
> were they can no longer trigger CI builds
> My biggest concern is when users login and are reporting as admins and have 
> full access to jenkins.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to