On Thu, Jan 16, 2014 at 09:33:34AM -0800, Kohsuke Kawaguchi wrote: > On 01/16/2014 06:19 AM, Marius Gedminas wrote: > >What about packaging? The Debian packages available from upstream start > >the web server on the public IP right from the post-inst script, before > >you get a chance to set up any security. This allows remote code > >execution as user jenkins. > > > >(The Jenkins package in the Ubuntu archive is configured to start the > >web server on localhost only, which sounds like a sane mitigation > >strategy for me.) > > Yeah, this is a good idea.
I filed https://issues.jenkins-ci.org/browse/JENKINS-21417 for this. > Perhaps a slight variation of it is to keep listening to these ports > like we do today but to show the message saying non-local access is > blocked until you acknowledge what you are doing? > > That way, it would work across platforms and it's less confusing to > those who are less experienced in the system administration? > > Something like that can be packaged as a plugin, which makes the > integration process easy --- you can just go create code yourself > and other people can try/use it, and we'd only have to bundle it in > the core. Hm. Yes, a page explaining what to do would be more user-friendly. E.g. it could tell the admin how to use SSH port-forwarding to connect to the Jenkins and get full access to the configuration pages, or what config files to edit to set a password. (I'm not volunteering to implement this. My familiarity with Java ended with a brief university course in 2000.) > >Should I file a bug? (I have filed a few bugs about packaging issues > >(one involving data loss), but haven't seen any response at all after > >many months, which made me stop caring. I have some small expertise > >with Debian packaging, and I'm willing to post patches, if I think they > >will not be silently ignored for months.) > > OK, our apologies. Do you know which ones they are? We want to take a look. https://issues.jenkins-ci.org/browse/JENKINS-18797 and https://issues.jenkins-ci.org/browse/JENKINS-18798 were the most annoying, with the 1st one clobbering my configuration (luckily, I had a backup). https://issues.jenkins-ci.org/browse/JENKINS-19329 is related to 18798. Perhaps I picked the wrong component? It was the only one that mentioned Debian packaging. Marius Gedminas -- 6 out of 7 dwarves are not Happy.
signature.asc
Description: Digital signature
