Issue
Anyone that can create a job in Jenkins can run a script that create folders on the agents. This permits the agent to be messy and not reproductible.
Environnement
-
CloudBees Jenkins Enterprise
-
Jenkins OpenSource
Solution
The solution here is to run the agents with a user that have no rights outside of the desire FS and is not a sudoer user.
For example, the user running the agent should be created with
sudo useradd -m --home /var/jenkins-agent jenkins
and then use the /var/jenkins-agent
as base folder on the agent configuration. This way, if a user try to run mkdir /app/dd
they won’t be allowed.
However, they will be able to run mkdir /var/jenkins-agent/toto
for example. If this is the problem, then you should look at chroot
the user jenkins
to make sure it can only call tools you authorized and not all the tools in /usr/bin
and so on.
Anyway, you should consider agents as disposable units that can be re-created using a Chef/Puppet script. This way, even if your users are creating folders and agents are not the same, it is quite easy to erase the agent host and re-connect it to Jenkins.