I see there are two different points: 1) Securing your Jenkins instance a) Probably you could add some security policies: - https://wiki.jenkins-ci.org/display/JENKINS/Securing+Jenkins - https://wiki.jenkins-ci.org/display/JENKINS/Ownership-Based+security b) Avoid granting privileges to the 'jenkins' user more than the required c) Also you could develop a particular plugin to avoid running jobs which contains those particular rm -rf, although some evil might skip that and do something else...
2) Configuration Management tools Regarding your authorized keys, if you use any kind of Configuration Management tools you might fix that easily as those systems won't be in the expected state and will be changed immediately or after a period of time. Although I'll prefer to trust my users rather than stopping them/blocking them. But that's my point of view. Cheers On Wednesday, 30 March 2016 20:33:50 UTC+1, Jason Hull wrote: > > Hi! > > How do I protect Jenkins from its own jobs and pipelines? > > For instance, I can create a freestyle job with a script step that does > something like: > > echo 'my own key' >> /home/jenkins/.ssh/authorized_keys > > Also, I can write a pipeline like: > > stage 'Destroy' > 'rm -rf /home/jenkins'.execute > echo 'Bye!' > > How to I prevent these types of malicious activities? > > Thanks!! > Jason > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/03d133f6-e21c-4f90-862d-b8680045c5f7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
