Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Why allowing Hudson to write to your downloads is a Bad Idea.

Let's say I'm the bad Guy. I've already exploited the current security leak with the ACL and replaced some files. Now I find that the ACL is gone but instead there's a cron-job that performs a copy. Seems to me like the only thing I need to do to keep up my malicious scheme is to replace the files at the source of that copy instead of at the target. Or am I missing something else?

- thomas

On 2011-09-14 10:26, Stéphane Bouchet wrote:
Hi,

initially, denis talked about security breach that could allow hudson user to access download area and can then be able to corrupt file or worse.

you are talking about something different, that is important too.

For the first question, that talk about only user privileges and access security, i've set up a cron for integration and nighlty, and for stable and releases, i personnally do promotion.

Your question is about hudson security that could permit somebody to corrupt files produced by hudson. i don't have answer for this one.


my 2c,




Back to the top