Anyone that can create a job in Jenkins can run a script that create folders on the slaves. This permits the slave to be messy and not reproductible.
- CloudBees Jenkins Enterprise
- Jenkins OpenSource
The solution here is to run the slaves with a user that have no rights outside of the desire FS and is not a sudoer user.
For example, the user running the slave should be created with
sudo useradd -m --home /var/jenkins-slave jenkins
and then use the
/var/jenkins-slave as base folder on the slave configuration. This way, if a user try to run
mkdir /app/dd they won’t be allowed.
However, they will be able to run
mkdir /var/jenkins-slave/toto for example. If this is the problem, then you should look at
chroot the user
jenkins to make sure it can only call tools you authorized and not all the tools in
/usr/bin and so on.
Anyway, you should consider slaves as disposable units that can be re-created using a Chef/Puppet script. This way, even if your users are creating folders and slaves are not the same, it is quite easy to erase the slave host and re-connect it to Jenkins.