jenkins应该具有什么权限才能在不安全的情况下执行shell命令? [英] what permissions should jenkins have to execute shell-commands without being insecure?

问题描述

我在本地服务器上有一个脚本(test.sh)，在终端中执行时可以正常工作.该脚本删除目录，然后重新创建本地目录.然后，它使用"ssh -i $ private_key .."连接到远程服务器，并在那里复制文件.

I have a script (test.sh) on a local server, which works fine when executed in a terminal. The script removes a directory, and recreates a directory local. It then connects to a remote server using "ssh -i $private_key .." and copies a file there.

当我使用

sh test.sh

它不起作用.我收到以下错误:

it doesnt work. I get the following errors:

rm: .. Permission denied
mkdir: .. Permission denied
Warning: Identity file /.ssh/private_key not accessible: Permission denied.

Jenkins与脚本位于同一服务器上.

Jenkins is on the same server as the script.

我看到Jenkins是另一个用户，无法以root用户的身份执行所有操作；如何设置权限而又不丢失所有安全性.尤其是在使用private_key的情况下，将权限设置为easy会很愚蠢-当前设置为600(所有者的读写权限)，并且所有者为root.

I see that Jenkins is another user and cant do everything that I'm doing as root; how can I set the permissions without losing all security. Especially in case of the private_key, it would be silly to set the permissions to easy - it is currently set to 600 (read and write permission for the owner) and the owner is root.

推荐答案

将私钥的权限设置为600的全部目的是，其他任何用户都不能访问它.如果将密钥放置在另一个用户的主目录(/home/anotheruser/.ssh)中，那么Jenkins用户和其他任何人(root用户除外)都将无法访问它. 这是按设计的.

The whole point of setting the private key's permissions to 600 is that no other user should be able to access it. If you have placed the keys in another user's home directory (/home/anotheruser/.ssh), then neither the Jenkins user, nor anyone else (except root) will be able to access it. This is as designed.

如果您希望您的Jenkins用户能够使用私钥，请将其也复制到jenkins用户的主目录(/home//.ssh).

此外，如果您尝试以Jenkins用户的身份在其他用户目录中删除/创建目录，而没有提供权限，则会出现权限错误.这是因为安全.允许此操作的唯一方法是允许Jenkins用户更改这些目录.

Also, if you are trying to delete/create directories in some other user's directory as the Jenkins user without providing permissions, you will get a permissions error. This is because of security. The only way to allow this is the allow the Jenkins user to make changes to those directories.

一个安全的选择是将Jenkins用户添加到与其他用户相同的组中.完成此操作后，在要读取和写入的目录上设置权限，以允许用户组中的任何人进行更改.

One safe option is to add the Jenkins user to the same group as the other user. Once you do this, set the permissions on the directories you want to read from and write to, to allow anyone in the user's group to make changes.

rwxrwx---

以上权限将允许文件夹的所有者和同一组中的任何其他用户进行更改，但不允许其他任何人.这是安全的，因为您可以控制谁是另一个用户组的成员.

The above permissions will allow the owner of the folder and any other users in the same group to make changes, but will not allow anyone else. This is safe, since you control who is part of the other user's group.

编辑

不过，您的错误似乎已更改.您不会再被拒绝权限.您仍然可以通过终端吗?我认为主机密钥验证失败的原因是，您的密钥最初是为其他用户创建的.我意识到我在上面的回答中说过要这样做，但这不是正确的方法.

It looks like your error has changed, though. You're not getting permission denied any more. Can you still do it through terminal? The reason (I think) it is saying that the host key verification has failed is because your key was originally created for the other user. I realise I said to do this in the answer above, but it is not the right way.

作为jenkins用户，您可以运行以下命令:

As the jenkins user, can you run the following commands:

ssh-keygen (say yes or agree if it asks if you want to replace your current keys)
ssh-copy-id -i ~/.ssh/id_rsa.pub remoteuser@remote_server
ssh remoteuser@remote_server

如果可行，请在终端上尝试脚本，然后再次通过jenkins ...

If this works, try your script through the terminal, and then through jenkins again...

这篇关于jenkins应该具有什么权限才能在不安全的情况下执行shell命令?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！