On Tuesday, 29 April 2014, Zedd <mani.azizza...@gmail.com> wrote: > Hi all, > > I understand that if a Jenkins master is compromised, then slaves are > compromised. But I did not think that the reverse was true. However, I > stumbled upon information on this page about Jenkins > security<https://wiki.jenkins-ci.org/display/JENKINS/Securing+Jenkins> where > following is mentioned: > > *"Also, slaves that are connected to Jenkins gain the full access to the > entire Jenkins build cluster, since a slave can send code to the master to > be executed."* > > Is this really true? Does it also hold for all types of master-slave > connections (JNLP, SSH etc)? If that is the case it would mean that once a > slave has been compromised, the whole cluster (including the master) is > also compromised? >
There is a setting that allows the channel to prevent classloading from the slave side of the channel. That only allows the slave to call methods and classes that are already in the master's classloader... Let's see String and Groovy/Rhino are going to be in the master's classloader... So we just need to find a Channel.export() interface that exposes such a method... I am not aware of any... But there could be one The hard part is injecting compromised code into the slave JVM. If you only use FreeStyle project type, and you verify the slave.jar's signature you should be safe. The (cough) Maven (cough) project type exposes compromise vector though > > Please help me understand this. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to > jenkinsci-users+unsubscr...@googlegroups.com<javascript:_e(%7B%7D,'cvml','jenkinsci-users%2bunsubscr...@googlegroups.com');> > . > For more options, visit https://groups.google.com/d/optout. > -- Sent from my phone -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.