Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] [Hudson] access to Hudson build configurations is public

Hi Guys,

There seems to be a bug in the version of Hudson we're using where the security was broken, particularly around the area of project based security. This has been fixed in later versions. Could we try to upgrade to the later version and restart hudson to see if we can fix this problem?

Regarding


[1] https://hudson.dev.java.net/issues/show_bug.cgi?id=3116

On Wed, Mar 11, 2009 at 3:13 PM, Oisin Hurley <oisin.hurley@xxxxxxxxx> wrote:
> For what it's worth, Hudson was set up by (Rich Gronback? Adrian Skehill?)
> specifically for the Galileo build.  I'm a bit out of the loop, but it seems
> people are using it for much more than that.

I know - it works and we all piled on and constructed a favela out
of the available materials. Now we are demanding clean water and
sanitation ;-)

>Perhaps Rich, Adrian and/or
> other Hudson experts can chime in and configure it to be more secure?

If you try to create a new job, then you get asked to log in. If you go to
the home page, you get asked to log in. If you view a job, then hit
'configure' or 'build now' it doesn't ask you to log in. So I think we need
to start with requiring login for those capabilities (and of course things
like 'delete project', 'edit description', basically anything writable).

Maybe the most lightweight action to take now is let apache
do the securing [1]?

 --oh

[0] http://wiki.hudson-ci.org/display/HUDSON/Securing+Hudson
[1] http://wiki.hudson-ci.org/display/HUDSON/Apache+frontend+for+security
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev


Back to the top