Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Upgrade Hudson
https://bugs.eclipse.org/bugs/show_bug.cgi?id=351611

On 09/14/2011 10:18 AM, David Carver wrote:
So this brings up a question...when was the last time Hudson itself was upgraded?  Do we have all the latest security patches, and fixes that have gone on in the latest code?

One of the first things that should occur is to make sure we have the latest versions stable versions of everything installed.  Start using Hudson 2.0.

Dave


On 09/13/2011 03:28 PM, Denis Roy wrote:
While we're in a security-conscious frame-of-mind...


Many projects allow the Hudson user account to write to their download directories.  Projects use one of these two ways to do this:

1. They add an ACL on their download directory that allows the Hudson Build user to write there.

2. They chmod 777 their downloads directory, thus allowing everyone full access to their downloads directory.


Most of you understand that #2 is a clear violation of any kind of security we hope to maintain here at Eclipse.  Don't do it.  Please ask us for alternatives.


While #1 may seem like a better option, it has implications.  Allowing Hudson to alter downloads means that other committers can alter your downloads via a Hudson job.  I am not worried about this since I trust our committers.

The issue is about trusting a public-facing application (Hudson) and all its plugins, each of which may contain security vulnerabilities.  If unauthorized control of Hudson was achieved, downloads could be replaced with compromised ZIP and JAR files.

As Hudson can sign on behalf of the Eclipse Foundation, compromised downloads would appear authentic with digital signatures and valid checksums.  A keystroke logger could leak sensitive credentials to a third party.  This is how unauthorized root access begins.  Far-fetched?  Not at all.

The above is not a stab at Hudson, Winstone or any other specific software -- all software may contain a vulnerability, including the Apache webserver and the Linux Kernel.

Hence, I strongly recommend you use a promotion job on build.eclipse.org which publishes known-good content from Hudson. A simple script which reads a state from Hudson, runs some sanity checks and wget's files and saves them in the downloads directory is a great start.


I appreciate your taking the time to read this.  My goal is not to encumber you with senseless, counter-productive dogma, but to strike a balance between security and convenience... with a slight bias towards security  :-)

Denis

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev


Back to the top