Preventing users to create any kind of folders on agents

Issue

Anyone that can create a job in Jenkins can run a script that create folders on the agents. This permits the agent to be messy and not reproductible.

Environnement

  • CloudBees Jenkins Enterprise
  • Jenkins OpenSource

Solution

The solution here is to run the agents with a user that have no rights outside of the desire FS and is not a sudoer user.

For example, the user running the agent should be created with

sudo useradd -m --home /var/jenkins-agent jenkins

and then use the /var/jenkins-agent as base folder on the agent configuration. This way, if a user try to run mkdir /app/dd they won’t be allowed.

However, they will be able to run mkdir /var/jenkins-agent/toto for example. If this is the problem, then you should look at chroot the user jenkins to make sure it can only call tools you authorized and not all the tools in /usr/bin and so on.

Anyway, you should consider agents as disposable units that can be re-created using a Chef/Puppet script. This way, even if your users are creating folders and agents are not the same, it is quite easy to erase the agent host and re-connect it to Jenkins.

Have more questions?

0 Comments

Please sign in to leave a comment.