-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft for review: script security #4693
base: master
Are you sure you want to change the base?
Changes from 15 commits
b2b3e52
886ebd2
c8ae250
d8e003b
d2aab6b
3a3a32b
5fc40ab
a63c2f9
63c6612
69bf246
c86ca72
38eeee9
a81d9ad
b6ea796
74c68f9
d1ca19f
071860d
268893c
44edf2e
5f63222
a7fc9bb
e2e973d
d2b364b
30f2ab0
5163109
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,3 +18,4 @@ sections: | |
|
||
# Further references | ||
- services | ||
- scripting |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,70 @@ | ||||||
--- | ||||||
title: Security for Scripts | ||||||
layout: section | ||||||
--- | ||||||
ifdef::backend-html5[] | ||||||
:toc: | ||||||
ifdef::env-github[:imagesdir: ../resources] | ||||||
ifndef::env-github[:imagesdir: ../../resources] | ||||||
:hide-uri-scheme: | ||||||
endif::[] | ||||||
|
||||||
Apache Groovy scripts can be executed on the Jenkins controller and agents through various mechanisms including: | ||||||
|
||||||
* link:/doc/book/managing/script-console/[Script Console] | ||||||
* link:https://plugins.jenkins.io/groovy/[Groovy plugin] | ||||||
when using the "Execute system Groovy script" step | ||||||
* link:https://plugins.jenkins.io/email-ext/[Extended Email plugin] | ||||||
* link:https://plugins.jenkins.io/groovy/[Job DSL plugin] | ||||||
* link:https://www.jenkins.io/doc/book/pipeline/[Pipelines] | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we're fairly explicit in that Pipelines are not Groovy because of the missing support for some language features. |
||||||
|
||||||
Scripts are powerful and useful tools but they must be managed carefully | ||||||
to ensure that they are not used to compromise your installation: | ||||||
|
||||||
* Limit the people to whom the *Overall/Administer* permission is granted. | ||||||
This allows people to use the | ||||||
link:/doc/book/managing/script-console/[Script Console]. | ||||||
This authorization allows one to type in and execute an Apache Groovy script | ||||||
in a largely unrestricted environment | ||||||
so it should only be available to highly trusted, sophisticated users. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Probably better to beef up https://www.jenkins.io/doc/book/security/permissions/#access-granted-with-overalladminister and reference that here? |
||||||
|
||||||
|
||||||
Two facilities are provided that allow users with lesser permissions | ||||||
(such as *Job/Configure* or *Job/Build*) to run scripts that may be associated with plugins or their applications: | ||||||
|
||||||
* Jenkins maintains a list of "approved" scripts that cannot do any damage. | ||||||
If a user attempts to run a script that is not approved, | ||||||
the script is blocked until an administrator reviews the script and approves it | ||||||
using the _Manage Jenkins » In-process Script Approval_ screen. | ||||||
See the link:/doc/book/managing/script-approval/[In-process Script Approval] documentation for more information. | ||||||
In most cases, you should use the | ||||||
link:/doc/book/managing/script-approval/#approve-assuming-permissions-check[Approve assuming permissions check] option rather than the simple Approve option. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
No this is not true at all and in fact that option should rarely if ever be used. Anyway this option pertains to sandbox signatures, unrelated to whole-script approval which this bullet point is about. |
||||||
|
||||||
* Groovy scripts can be run in the | ||||||
link:/doc/book/managing/script-approval/#groovy-sandbox[Groovy Sandbox] without approval. | ||||||
Each method call, object construction, and field access is checked against a list of allowed operations. | ||||||
If the script attempts to call any operations that are not allowed, | ||||||
it is killed and the unallowed operation is added to an approval queue. | ||||||
An administrator can approve that operation and then the script can be rerun. | ||||||
|
||||||
* Scripts written in languages other than Groovy can be run by an administrator | ||||||
or must be approved by an administrator; | ||||||
the sandbox is only for Groovy scripts. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Almost never matters I think?
That seems to be it? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yup, very uncommon. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are you saying lines 52-54 should be deleted? |
||||||
|
||||||
* Users can disable the Groovy sandbox. | ||||||
The entire script must be approved by the administrator unless it is in the list of administrator-managed list of approved scripts. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is just part of the first bullet point? |
||||||
`` | ||||||
` | ||||||
|
||||||
//// | ||||||
This is an alternative to the preceding bullet item. | ||||||
I am guessing that the documenttion reflects the current reality. | ||||||
|
||||||
* You should never disable the sandbox. If you disable the sandbox, a Scripted Pipeline (or a `script` step in a Declarative Pipeline) has unfettered access to Jenkins internal objects. | ||||||
For a light-hearted explanation about how dangerous this can be, see | ||||||
link:https://brokenco.de/2017/08/03/donut-disable-groovy-sandbox.html[Do not disable Groovy Sandbox]. | ||||||
StackScribe marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
//// | ||||||
|
||||||
See link:https://plugins.jenkins.io/script-security/[Script Security plugin] | ||||||
for more information. | ||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -64,6 +64,7 @@ Use link:https://man7.org/linux/man-pages/man8/cron.8.html[cron] | |
to schedule when the backup script runs. | ||
|
||
The shell script should create a directory such as `/mnt/backup` | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ? |
||
to which the backup will be written; | ||
be sure that you have write permissions to that directory. | ||
Consider creating `/mnt/backup` as a separate filesystem with its own mount point. | ||
|
@@ -186,6 +187,7 @@ Now execute the restored Jenkins instance: | |
|
||
[source,bash] | ||
---- | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ? |
||
java -jar jenkins.war ---httpPort=9999 | ||
---- | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's better to structure this page more explicitly along the following lines to guide readers along a top-level view of the concepts involved?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! As you may have guessed, I did not understand this well but this clarifies things a lot! I will rewrite.