[JENKINS-61071] Ensure that initialization tasks run as SYSTEM (jenki…

…nsci#4491)
SimoHyHa414 · Feb 15, 2020 · 7ff5f09 · 7ff5f09
1 parent a405be9
commit 7ff5f09
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/core/src/main/java/jenkins/InitReactorRunner.java b/core/src/main/java/jenkins/InitReactorRunner.java
@@ -4,10 +4,12 @@
 import jenkins.util.SystemProperties;
 import hudson.init.InitMilestone;
 import hudson.init.InitReactorListener;
+import hudson.security.ACL;
 import hudson.util.DaemonThreadFactory;
 import hudson.util.NamingThreadFactory;
 import jenkins.model.Configuration;
 import jenkins.model.Jenkins;
+import jenkins.security.ImpersonatingExecutorService;
 import org.jvnet.hudson.reactor.Milestone;
 import org.jvnet.hudson.reactor.Reactor;
 import org.jvnet.hudson.reactor.ReactorException;
@@ -45,7 +47,7 @@ public void run(Reactor reactor) throws InterruptedException, ReactorException,
         else
             es = Executors.newSingleThreadExecutor(new NamingThreadFactory(new DaemonThreadFactory(), "InitReactorRunner"));
         try {
-            reactor.execute(es,buildReactorListener());
+            reactor.execute(new ImpersonatingExecutorService(es, ACL.SYSTEM), buildReactorListener());
         } finally {
             es.shutdownNow();   // upon a successful return the executor queue should be empty. Upon an exception, we want to cancel all pending tasks
         }

diff --git a/test/src/test/java/hudson/PluginManagerTest.java b/test/src/test/java/hudson/PluginManagerTest.java
@@ -503,6 +503,18 @@ public void requireSystemDuringStart() throws Exception {
         }
     }
 
+    @Issue("JENKINS-61071")
+    @Test
+    public void requireSystemInInitializer() throws Exception {
+        r.jenkins.setSecurityRealm(r.createDummySecurityRealm());
+        r.jenkins.setAuthorizationStrategy(new MockAuthorizationStrategy());
+        String pluginShortName = "require-system-in-initializer";
+        dynamicLoad(pluginShortName + ".jpi");
+        try (ACLContext context = ACL.as(User.getById("underprivileged", true).impersonate())) {
+            r.jenkins.pluginManager.start(Collections.singletonList(r.jenkins.pluginManager.getPlugin(pluginShortName)));
+        }
+    }
+
     private void dynamicLoad(String plugin) throws IOException, InterruptedException, RestartRequiredException {
         PluginManagerUtil.dynamicLoad(plugin, r.jenkins);
     }

diff --git a/test/src/test/resources/plugins/require-system-in-initializer.jpi b/test/src/test/resources/plugins/require-system-in-initializer.jpi