Geek Answers Handbook

How to enable protection for Jenkins JNLP slaves?

This seems like an obvious question, but I looked high and low and can't find the answer. Here's the situation:

  • I am running a continuous Jenkins integration server on the public Internet with volunteers (trusted) running on subordinate servers on Windows and Linux.
  • We use doodad JNLP (Web start) to start slaves to avoid problems with the firewall and configure / debug ssh
  • The server is configured based on Matrix-based security

The problem is that I can find exactly zero information on how security works with JNLP. If any anonymous read permissions are granted, then anyone in the world can download slave.jar and access the jnlp file on the (easy to guess) URL on my server and connect as a subordinate.

I found that if I revoke all anonymous access, the jnlp file is blocked, but slave.jar is still available.

There is nothing particularly secure in the jnlp file except for one long hexadecimal number. Is this setting safe or is there something else I should do?

It would be nice if visitors could see the latest builds without logging in, but then again, if I grant anonymity permissions, everyone can access the jnlp file.

+8
security jenkins
source share
2 answers

If any anonymous read permissions are granted, anyone in the world can download slave.jar and access the jnlp file on (easy to guess) URLS on my server and connect as a subordinate.

Turns out it was a critical security vulnerability in Jenkins:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+ 2013-01-04

In answer to my question, it seems the best approach is to disable all anonymous reading options.

+3
source share

From the comments of this jenkins error, it seems that this behavior (allowing anyone with read permissions to view the jnlp file) has been changed to the security vulnerability fix course, and now you can restrict access to the jnlp file to specific users.

I also could not find the documentation on the current behavior, but you can get some tips

  • Revoke all permissions for "anynmous"
  • Trying to download a jnlp file without providing any credentials using wget or similar

Step 2. will give a β€œ403 forbidden” response that contains something like

Authentication required <!-- You are authenticated as: anonymous Groups that you are in: Permission you need to have (but didn't): hudson.model.Computer.Connect ... which is implied by: hudson.model.Computer.Disconnect ... which is implied by: hudson.model.Hudson.Administer -->

The answer also contains javascript redirection, so you need to use wget or some other way that does not support javascript to see it.

As a result of trial and error, I found that "hudson.model.Computer.Connect" seems to correspond to the "Slave Connect" permission in the Jenkins user interface.

0
source share

More articles:


All Articles