Preventing users to create any kind of folders on slaves

Issue

Anyone that can create a job in Jenkins can run a script that create folders on the slaves. This permits the slave to be messy and not reproductible.

Environnement

  • CloudBees Jenkins Enterprise
  • Jenkins OpenSource

Solution

The solution here is to run the slaves with a user that have no rights outside of the desire FS and is not a sudoer user. 

For example, the user running the slave should be created with

sudo useradd -m --home /var/jenkins-slave jenkins

and then use the /var/jenkins-slave as base folder on the slave configuration. This way, if a user try to run mkdir /app/dd they won’t be allowed.

However, they will be able to run mkdir /var/jenkins-slave/toto for example. If this is the problem, then you should look at chroot the user jenkins to make sure it can only call tools you authorized and not all the tools in /usr/bin and so on.

Anyway, you should consider slaves as disposable units that can be re-created using a Chef/Puppet script. This way, even if your users are creating folders and slaves are not the same, it is quite easy to erase the slave host and re-connect it to Jenkins.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.