Is there a way to prevent a project from not having access to another project files in Jenkins CI?

Question

I am trying to setup a Jenkins/Hudson CI in a distributed environment. I am curious about the following questions:

1) does the slave account need to be a root/administrator account? If lower privilege can run whats the minimum access?

2) On a slave node, does one projects jobs have access to another project files that previously built on the same node? How would you prevent this?

3) How do you secure someone from not being able to format your disk with a bat file running in a pre or post build script?

Answer 1

1) The slave account does not have to be root or administrator. It only needs full access to the folder you give in the "Remote FS root" field of the slave configuration.

2) Yes it does. Each project folder is owned by the user that is used to run the slave. You can access other project folders using relative paths: $WORKSPACE/../OTHER_PROJECT/. I'm not sure if there is a default way to prevent this. However, you have two options:

• Delete the workspace after your build (use plugin Workspace Cleanup Plugin)
• Create a separate slave/user combination for each project - the slave can be the same, but you'd have to create a separate user for each project.

3) Formatting a disk completely would require privileged access. You should not give your slave user those rights. I'm not sure whether your slave is Unix or Windows based, but either way, you should be able to prevent your user from being allowed to do any such task. Like stated in A1, the slave user only needs enough access to be able to read/write/execute in its "Remote FS root" folder.

Just out of curiosity - what OS are you running on your slave?