Draft for review: script security #4693
+69
−1
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,3 +18,4 @@ sections: | |
|
|
||
| # Further references | ||
| - services | ||
| - scripting | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,70 @@ | ||||||
| --- | ||||||
| title: Security for Scripts | ||||||
| layout: section | ||||||
| --- | ||||||
| ifdef::backend-html5[] | ||||||
| :toc: | ||||||
| ifdef::env-github[:imagesdir: ../resources] | ||||||
| ifndef::env-github[:imagesdir: ../../resources] | ||||||
| :hide-uri-scheme: | ||||||
| endif::[] | ||||||
|
|
||||||
| Apache Groovy scripts can be executed on the Jenkins controller and agents through various mechanisms including: | ||||||
|
|
||||||
| * link:/doc/book/managing/script-console/[Script Console] | ||||||
| * link:https://plugins.jenkins.io/groovy/[Groovy plugin] | ||||||
| when using the "Execute system Groovy script" step | ||||||
| * link:https://plugins.jenkins.io/email-ext/[Extended Email plugin] | ||||||
| * link:https://plugins.jenkins.io/groovy/[Job DSL plugin] | ||||||
| * link:https://www.jenkins.io/doc/book/pipeline/[Pipelines] | ||||||
|
There was a problem hiding this comment. I think we're fairly explicit in that Pipelines are not Groovy because of the missing support for some language features. |
||||||
|
|
||||||
| Scripts are powerful and useful tools but they must be managed carefully | ||||||
| to ensure that they are not used to compromise your installation: | ||||||
|
|
||||||
| * Limit the people to whom the *Overall/Administer* permission is granted. | ||||||
| This allows people to use the | ||||||
| link:/doc/book/managing/script-console/[Script Console]. | ||||||
| This authorization allows one to type in and execute an Apache Groovy script | ||||||
| in a largely unrestricted environment | ||||||
| so it should only be available to highly trusted, sophisticated users. | ||||||
|
There was a problem hiding this comment. Probably better to beef up https://www.jenkins.io/doc/book/security/permissions/#access-granted-with-overalladminister and reference that here? |
||||||
|
|
||||||
|
|
||||||
| Two facilities are provided that allow users with lesser permissions | ||||||
| (such as *Job/Configure* or *Job/Build*) to run scripts that may be associated with plugins or their applications: | ||||||
|
|
||||||
| * Jenkins maintains a list of "approved" scripts that cannot do any damage. | ||||||
| If a user attempts to run a script that is not approved, | ||||||
| the script is blocked until an administrator reviews the script and approves it | ||||||
| using the _Manage Jenkins » In-process Script Approval_ screen. | ||||||
| See the link:/doc/book/managing/script-approval/[In-process Script Approval] documentation for more information. | ||||||
| In most cases, you should use the | ||||||
| link:/doc/book/managing/script-approval/#approve-assuming-permissions-check[Approve assuming permissions check] option rather than the simple Approve option. | ||||||
|
There was a problem hiding this comment.
Suggested change
No this is not true at all and in fact that option should rarely if ever be used. Anyway this option pertains to sandbox signatures, unrelated to whole-script approval which this bullet point is about. |
||||||
|
|
||||||
| * Groovy scripts can be run in the | ||||||
| link:/doc/book/managing/script-approval/#groovy-sandbox[Groovy Sandbox] without approval. | ||||||
| Each method call, object construction, and field access is checked against a list of allowed operations. | ||||||
| If the script attempts to call any operations that are not allowed, | ||||||
| it is killed and the unallowed operation is added to an approval queue. | ||||||
| An administrator can approve that operation and then the script can be rerun. | ||||||
|
|
||||||
| * Scripts written in languages other than Groovy can be run by an administrator | ||||||
| or must be approved by an administrator; | ||||||
| the sandbox is only for Groovy scripts. | ||||||
|
There was a problem hiding this comment. Almost never matters I think?
That seems to be it? There was a problem hiding this comment. Are you saying lines 52-54 should be deleted? |
||||||
|
|
||||||
| * Users can disable the Groovy sandbox. | ||||||
| The entire script must be approved by the administrator unless it is in the list of administrator-managed list of approved scripts. | ||||||
|
There was a problem hiding this comment. This is just part of the first bullet point? |
||||||
| `` | ||||||
| ` | ||||||
|
|
||||||
| //// | ||||||
| This is an alternative to the preceding bullet item. | ||||||
| I am guessing that the documenttion reflects the current reality. | ||||||
|
|
||||||
| * You should never disable the sandbox. If you disable the sandbox, a Scripted Pipeline (or a `script` step in a Declarative Pipeline) has unfettered access to Jenkins internal objects. | ||||||
| For a light-hearted explanation about how dangerous this can be, see | ||||||
| link:https://brokenco.de/2017/08/03/donut-disable-groovy-sandbox.html[Do not disable Groovy Sandbox]. | ||||||
StackScribe marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| //// | ||||||
|
|
||||||
| See link:https://plugins.jenkins.io/script-security/[Script Security plugin] | ||||||
| for more information. | ||||||
|
|
||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's better to structure this page more explicitly along the following lines to guide readers along a top-level view of the concepts involved?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! As you may have guessed, I did not understand this well but this clarifies things a lot! I will rewrite.