On 09/01/16 13:44, Thomas Goeppel wrote: > Hello community, > > I've been experimenting with the Cloudbees Docker Workflow plugin, and I > really like the ease of use of this DSL. Now I'd like to get security right. > > Problem: the plugin assumes that the docker binary is in the path > <http://documentation.cloudbees.com/docs/cje-user-guide/_limitations.html>. > In my understanding this has the implication that the user that issues > docker commands (e.g. jenkins) has to be in the docker group! > > The *docker* variable provided by the docker workflow plugin limits the > security impact by explicitly setting a non-priviledged user with the > "-u" option. However, at least in docker 1.9.1 I can pass a second "-u" > option which overwrites the original settings: > > docker.image('ubuntu').inside ('-v /etc:/etc-host -u 0') { > sh ''' > whoami > # -> root > awk '{gsub(/[A-Z]/,"!"); print}' /etc-host/shadow > # -> slightly masked password hashes > ''' > } > > I could also have passed in the "--privileged" flag. > > For a moment I asked myself it it would be worthwhile filing an ER, as > to have the plugin sanitize the "docker run" parameters. But the > fundamental problem is that a Jenkins job has the right to run the > docker commands. Running the following script would be even worse: > > node { > sh 'docker run -v /etc:/etc-host ubuntu cat /etc-host/shadow' > } > > > One option would be to write a shim for the docker command, that only > allows a subset of commands, and sanitizes the options and parameters.
Even if you do that, the jenkins user, as part of the docker group, will still have direct access to the unix socket that the Docker daemon uses. As is quite often the case with a CI server, you most likely need to either trust the users who can configure jobs (or edit Workflow scripts (if in source control)), or lock down the Jenkins configuration to allow only specific users. The Docker security guide also says "only trusted users should be allowed to control your Docker daemon": https://docs.docker.com/engine/articles/security/ Regards, Chris -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5691A024.8030504%40orr.me.uk. For more options, visit https://groups.google.com/d/optout.
