[JIRA] [authorize-project] (JENKINS-22469) SpecificUsersAuthorizationStrategy easily bypassed by REST/CLI

Thu, 03 Apr 2014 16:57:22 -0700
ikedam commented on Bug JENKINS-22469

example details steps to reproduce the problem using REST:

  1. Install authorize-project plugin
  2. Go to "Manage Jenkins" > "Configure Global Security"
    1. Check "Enable security"
    2. Check "Jenkins's own user database" for "Security Realm"
    3. Check "Matrix-based security" for "Authorization"
    4. Add user "admin" to "Matrix-based security" and check all permissions.
    5. Add user "devel" to "Matrix-based security" and check all permissions execpt "Administer".
      • Admin is not really registered to Jenkins's user database, but that doesn't matter in this case.
    6. Add "Configure Build Authorizations in Project Configuration" for "Access Control for Builds"
  3. Create users by signing up.
    1. Create "admin"
    2. Create "devel"
  4. Sign in as "devel"
  5. Test that "devel" cannot configure authorize-project for "admin"
    1. Create a new free-style project
    2. Check "Configure Build Authorization"
    3. Check "Run as Specific User"
    4. Enter "admin" for "User ID"
    5. Leave empty for "Password"
    6. Save the configuration. It will cause an error for failure of authentication.
  6. Create a project that run as "devel"
    1. Create a new free-style project
    2. Check "Configure Build Authorization"
    3. Check "Run as Specific User"
    4. Enter "devel" for "User ID"
    5. Save the configuration.
  7. retreive current config.xml 
    curl -u devel:devel -o config.xml http://[path to jenkins]/[projectname]/config.xml
    • wget does not work, as Jenkins returns not 401 but 403 (wget requires 401 before sending a username and a password).
  8. modify "<userid>devel</userid>" to "<userid>admin</userid>" in config.xml
  9. Overwrite the configuration 
    curl -u devel:devel -d @config.xml http://[path to jenkins]/[projectname]/config.xml
  10. Open the configuration page. The project is configured to run as "admin".
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to