Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Script task in Bamboo

Karthikeyan Kul3
Karthikeyan Kulasekaran March 8, 2015

We are setting up Bamboo in our company, We foresee a risk in Script task. This task gives a privileged to delete what ever folder in the server . How to over come this

Example : We have installed Bamboo in Linux server under /usr/local/bamboo . With Script task defined in a plan can delete this folder

Answer
Watch
Like Be the first to like this
1337 views

3 answers

1 accepted

0 votes
Answer accepted
Krystian Brazulewicz
Krystian Brazulewicz
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 9, 2015

Bamboo is an application that runs stuff that users want it to run. Malicious commands can be run in a multiple ways because almost every build tool allows you to run some shell commands (maven, ant, grails). If you really don't trust your users then as Mike and Daniel proposed:

  • use only remote agents
  • run remote agents on non-privileged accounts

This way you'll limit your potential damage to the single agent.

Reply
0 votes
Daniel Wester
Daniel Wester
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 8, 2015

Set up the agent to run as a non-privileged user. It's the nature of build servers. Doesn't matter if it's script. You have the same issue with ant, maven or any other build scripts.

You can lock down the permissions where the application installation is done and only allow the bamboo_home dir opened up for the user to write to. If you really want to protect yourself - don't use local agents. Then run the remote agents as non privileged users. That way if somebody does a rm -rf it would only be able to hurt that one agent.

Reply
0 votes
Mike Friedrich
Mike Friedrich
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 8, 2015

I believe that applies to agents only.

And even there I don't really see a problem. The person who writes the task anyway often needs admin access on agents.

But I aggree, there should be some optional protection.

View More Comments
Mike Friedrich
Mike Friedrich
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 8, 2015

Btw, the permissions depend on the account the agent or server runs under.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

    See all events