Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 422997

Summary: Scan for insane permissions
Product: Community Reporter: Denis Roy <denis.roy>
Component: CI-JenkinsAssignee: Thanh Ha <thanh.ha>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: ci.admin-inbox, webmaster
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Whiteboard:
Attachments:
Description Flags
list.txt none

Description Denis Roy CLA 2013-12-02 16:11:31 EST 
HIPP administrators could potentially delegate admin access to others.  Also, they could, accidentally or intentionally, give anonymous users more access than simply viewing a job.  Even allowing anon. users to launch jobs could be a vector for DoS attacks against our servers.

Since all (most?) of the config files are in xml and in a centralized location, I think we should automagically scan for insane permissions and warn.
Comment 1 Thanh Ha CLA 2013-12-02 16:27:39 EST 
I found in each job config.xml there's a string (or a series of strings) we can search for. Such as:

    <permission>hudson.model.Item.Build:anonymous</permission>


I'll come up with a list of permissions I think we should not allow anonymous to have.

The script could likely be a cron job that scans all jobs once a day and looks for these permissions then notify Webmaster (or if it can be smarter the HIPP Project too).
Comment 2 Thanh Ha CLA 2013-12-19 13:58:25 EST 
Here is a full list of permissions that is possible to enable for a user on a job.

      <permission>hudson.model.Item.Workspace:anonymous</permission>
      <permission>hudson.model.Run.Update:anonymous</permission>
      <permission>hudson.model.Run.Delete:anonymous</permission>
      <permission>hudson.model.Item.Delete:anonymous</permission>
      <permission>hudson.model.Item.Build:anonymous</permission>
      <permission>hudson.model.Item.Read:anonymous</permission>
      <permission>hudson.model.Item.Configure:anonymous</permission>



I think the only one that should be allowed is Read. Maybe Workspace too if a project wants people to be able to browse the Workspace (such as if they are not promoting artifacts).


I do not think anonymous users need any other permissions.
Comment 3 Thanh Ha CLA 2013-12-19 14:18:29 EST 
This command seems to do the job:

find /backupjobs -name config.xml -print0 | xargs -0 grep '<permission>' | grep anonymous | egrep -v '(hudson.model.Item.Workspace|hudson.model.Item.Read)'
Comment 4 Thanh Ha CLA 2013-12-19 14:19:20 EST 
Created attachment 238499 [details]
list.txt

Attached is a list of the output of the above command run against our job backups.
Comment 5 Thanh Ha CLA 2013-12-19 14:22:00 EST 
(In reply to Thanh Ha from comment #3)
> This command seems to do the job:
> 
> find /backupjobs -name config.xml -print0 | xargs -0 grep '<permission>' |
> grep anonymous | egrep -v
> '(hudson.model.Item.Workspace|hudson.model.Item.Read)'

I will make this an admintools script. I guess we can add this as a cronjob on one of the servers and have it email us the list maybe once a week?
Comment 6 Thanh Ha CLA 2014-01-14 10:30:08 EST 
There is discussion in bug 425171 regarding adding extended read permissions for anonymous users. We will likely have to ensure this permission is added to the allowed list.
Comment 7 Thanh Ha CLA 2014-01-30 11:35:38 EST 
I added a hippcheckpermissions script to admintools and setup a cron job on build to run everyday at 12:05. Hopefully it makes it into the webmaster inbox then I can start contacting projects that have overly permissive permissions.