Hudson jobs can be configured to have a post build step which can execute shell commands as an option, accidently or intentionally someone can wipe out the hudson home directory just by running rm command is there a specific set of permission of home directory which will prevent such scenario
Asked
Active
Viewed 93 times
1
-
are you running hudson in tomcat? I'm putting a tenative answer out for now, i might need to update it once I know your container. – Nicholas DiPiazza Oct 17 '12 at 19:58
-
I am running it on weblogic 10.3.5 container – Amit Mawkin Oct 17 '12 at 19:59
1 Answers
0
On Linux, you will likely be running the Hudson process as the "hudson" user. Using a combination of chown and chmod, you can set the permissions on the hudson application server directory such that the hudson user only has read-access of the Hudson application server directory.
Hudson stores all of its file storage in /var/lib/jenkins by default (if you're using the .deb package).
so basically, make sure that the hudson user has recursive write access of that directory, allow hudson read-only access of the other Hudson installation files, and no access over any other file.
Nicholas DiPiazza
- 10,029
- 11
- 83
- 152
-
My major concern is Hudson Home Directory, Hudson writes frequently to it whether its a new job or any configuration changes. Execute Shell step I believe is not smart enough to detect rm commands – Amit Mawkin Oct 17 '12 at 20:14
-
If you restrict hudson group in a fine-grained way, you will be fine. – Nicholas DiPiazza Oct 18 '12 at 19:46