6

For security reasons we thought it would be better if the Jenkins windows service would run as user without admin rights. However, this leads to an error on Jenkins server startup:

java.io.IOException: Access is denied   at             
java.io.WinNTFileSystem.createFileExclusively(Native Method)    at     
java.io.File.createTempFile(Unknown Source)     at
hudson.util.AtomicFileWriter.<init>(AtomicFileWriter.java:142) 

Caused: 
    java.io.IOException: Failed to create a temporary file in C:\Program Files (x86)\Jenkins

The user (Windows 7, Active Directory user) has all rights on the Jenkins folder (excluding 'Special rights', which cannot be chosen).

Is it possible/reasonable to run the Jenkins windows service (server as well as slaves on other computers) as non-admin user?

Andrew Gray
  • 3,593
  • 3
  • 35
  • 62
Meera
  • 318
  • 3
  • 16
  • is it about jenkins slave agent as Service or jenkins server? – user_9090 Aug 07 '18 at 09:28
  • Both actually, the error is from the server. I edited it into the question. – Meera Aug 07 '18 at 09:47
  • 1
    you can follow the url for jenkins server as service https://wiki.jenkins.io/pages/viewpage.action?pageId=57183824 and for slave you should do as system administrator. – user_9090 Aug 07 '18 at 11:07
  • 1
    Have you made the user creator/owner of the Jenkins folder? – towel Aug 07 '18 at 11:48
  • @Gaurav I already installed Jenkins and the slave as services. They worked well when they ran as a user with admin rights. Now that the system is established we want to change the user to a user without admin rights and that is where the trouble started. – Meera Aug 07 '18 at 12:01
  • @towel Thank you, I will try that! – Meera Aug 07 '18 at 12:01
  • When the slave is used to execute a build step, it will be performed as the ID running the service. Therefore, the ID needs to have permissions to perform the build steps. You may want to consider using a System ID. This will ensure the password doesn't expire and the slave service stays online. It also allows you a separation of duties, eliminating the need for users to have physical access to the environment that performs the build. – David Aug 11 '18 at 23:03

2 Answers2

3

I would suggest installing Jenkins in a secondary partition, like G:\Jenkins.

Even if you don't have a secondary partition C:\Jenkins is better than C:\Program Files\Jenkins or C:\Program Files(x86)\Jenkins to avoid the operating system unnecessarily getting in the way.

With that in place I always set the Jenkins service to run as a user (preferable a service account with a non-expiring password) that is a member of the Administrators group on the box.

Doing this usually avoids many of the unnecessary annoying permissions issues that only get in the way and slow your progress.

It should be noted that when it comes to Windows Batch Steps Jenkins will not Run As Administrator (at least it hasn't in the years since 2007 I have been using Jenkins).

Andrew Gray
  • 3,593
  • 3
  • 35
  • 62
  • 3
    This doesn't answer the question and seems like generally bad advice. Yes, running as admin avoids annoying permissions issues. – Andrew J. Brehm Mar 11 '21 at 09:57
  • Security is annoying but violating the Principle of Least Privilege (https://en.wikipedia.org/wiki/Principle_of_least_privilege) is not the right solution. – Carlos Quintero Feb 21 '22 at 07:51
0

It appears that allowing the Jenkins service account access to "C:\Program Files\Jenkins" and SeServiceLogonRight are sufficient.

Andrew J. Brehm
  • 4,448
  • 8
  • 45
  • 70
  • 2
    I tried this just now and Jenkins could not restart itself (after installing/upgrading plugins), so if that's a feature you want, there might be other rights required. – user4851 Apr 19 '21 at 20:13
  • Hm... I have been running Jenkins like this for weeks now. I cannot remember any other setting I had configured in that context. – Andrew J. Brehm May 09 '21 at 21:15