[JIRA] (JENKINS-16103) If Anonymous has overall read access, anyone can connect as a slave over JNLP

[andrew.colle...@gmail.com (JIRA)]

Andrew Collette created JENKINS-16103 If Anonymous has overall read access, anyone can connect as a slave over JNLP Issue Type: Bug Assignee: Unassigned Components: core Created: 12/Dec/12 4:59 AM Description: Using Matrix-based security with one admin (full rights) user and Anonymous Jenkins' own user database Build slaves configured to launch over JNLP Jenkins version 1.493 If the user Anonymous has "overall read" permissions, then anyone can access the JNLP file from <server>/computer/<slavename>/slave-agent.jnlp, and connect to the server as a slave via e.g. java -jar slave.jar -jnlpURL http://<server>/computer/<slavename>/slave-agent.jnlp. The URL is trivial to guess, especially since build slave names are displayed on the front page when anonymous read is enabled. Environment: Linux 32-bit (Fedora-derived Amazon EC2 image), with Jenkins installed via yum. Project: Jenkins Priority: Major Reporter: Andrew Collette

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira