Symbolic links pointing outside the userContent directory are not followed anymore

[Alex Chatziparaskewas]

Hi All,

Using Jenkins version 2.157, we have been successfully using symbolic links in the userContent directory for quite some time. These symbolic links point to directories outside of Jenkins HOME directory. However, they stopped working, indicated by a small ‘red’ emblem now shown on the symbolic link names on Jenkin’s userContent page (see the picture below). Symbolic links within the scope of the userContent directory still work as expected. Jenkins, the symbolic links and the target directories all run or belong to the same user.

 

Two things happened in the context of this not working anymore:

-         - The target directories for the symbolic links got recreated (not the first time, but this happens very seldom)

-         - Jenkins service was restarted (this is done even less seldom)

 

I am a bit out of ideas. My best guess (or fear) is that security got tightened a bit somewhere. Restructuring the directories is only theoretically possible as there are tons of data behind the symbolic links (might be easier to rebuild the build server or scrap the userContent feature and use a dedicated HTTP server).

Thanks & Regards,

Alex

[Alex Chatziparaskewas]

Hi All,

Solved. I finally found the source code generating the userContent page, which allowed me to find this page: https://www.cloudbees.com/cloudbees-security-advisory-2018-12-05.

Conclusion setting an additional system property ' -Dhudson.model.DirectoryBrowserSupport.allowSymlinkEscape=true' tells Jenkins' userContent to follow symbolic links again.

Have fun & Thanks (for Jenkins)

Alex