what would be a better practice instead of chmod g+r /etc/shadow so I can use Unix user/group database for Jenkins authentication?

Question

I don't want to run Jenkins as root, nor giving public access (or even group access) to /etc/shadow seems to a good idea.

as suggested by "Manage Jenkins" when selecting Linux user/group database: "Either Jenkins needs to run as root or User 'httpd' needs to belong to group root and 'chmod g+r /etc/shadow' needs to be done to enable Jenkins to read /etc/shadow"

From a security stand point what would be the best practice while running Jenkins and still being able to perform some tasks as a super user (in case my jobs need that)

score 4 · Accepted Answer · answered May 24 '13 at 03:35

4

A better practice would be to use the pwauth plugin, which lets you run jenkins as a non-root user, and only pwauth itself needs to be setuid root to perform the actual authentication.

answered May 24 '13 at 03:35

Michael Hampton

244,070
43
506
972

Thanks! The only 2 things I needed to do besides installing the pwauth plugin was making sure I had the package for it installed on my ArchLinux server and making sure the paths under Advanced Path Configuration were correct. – MauricioOtta May 24 '13 at 07:18
1

Leaving this to help others: `yaourt pwauth usermod -a -G pwauth jenkins` – MauricioOtta Jun 28 '13 at 07:20

what would be a better practice instead of chmod g+r /etc/shadow so I can use Unix user/group database for Jenkins authentication?

1 Answers1