How to disable Jenkins script console?

1,118 views
Skip to first unread message

Anna Freiholtz

unread,
Nov 13, 2017, 3:55:14 AM11/13/17
to Jenkins Users
Hi,

I would like to disable the possibility to Jenkins script console? But how do I do that?

Best regards,
Anna

Stephen Connolly

unread,
Nov 13, 2017, 4:16:24 AM11/13/17
to jenkins...@googlegroups.com
You could use an init.groovy script to remove the management link extension from the list of management link extensions. That will remove access to the HTML page. Keep in mind that there is a CLI command that offers the same functionality, so you'd need to cull that one also. There may also be other paths to that functionality so do not take the above as a complete solution.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5927023e-d120-40bf-9579-bba0f0db156a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Daniel Beck

unread,
Nov 13, 2017, 6:20:28 AM11/13/17
to jenkins...@googlegroups.com

> On 13. Nov 2017, at 10:16, Stephen Connolly <stephen.al...@gmail.com> wrote:
>
> You could use an init.groovy script to remove the management link extension from the list of management link extensions. That will remove access to the HTML page.

Did you try that? I would be surprised if this worked given that Jenkins#doScript does all the work, so /script URL should still be served.

> Keep in mind that there is a CLI command that offers the same functionality, so you'd need to cull that one also. There may also be other paths to that functionality so do not take the above as a complete solution.

The affected functionality:
- /script, /scriptText, /eval (sort of) URLs, and /computer/(whatever)/script and /computer/(whatever)/scriptText URLs
- groovy and groovysh CLI commands (can probably be deregistered)

UI:
- Link in Manage Jenkins (can probably be deregistered)
- Link in Computer sidepanel (cannot be deregistered)

I have a proposal PR at https://github.com/jenkinsci/jenkins/pull/3006 that does those things and I plan to make it a JEP. In the mean time, a combination of init.groovy.d scripting and reverse proxy request filtering should do it.

This all assumes you don't want to actually remove the permission to these scripts from admins to retain for example the 'In-Process Script Approval' functionality, and other scripting features provided by plugins. If you want to remove all of those, and not allow any 'system' scripting even for admins, you'll need a plugin that does not grant Overall/Run Scripts to users who have Overall/Administer. I'm not aware of any plugins that do this currently, so you'll need to fork one and add this (Permission#impliedBy is final, so cannot be scripted away).

Daniel
Reply all
Reply to author
Forward
0 new messages