Question regarding password file in Jazz Build Engine
JBE has an option to create Password text file which could be consumed instead of providing password a plain text.
In windows, the build engine must run under the build user which means the password file should be accessible for this user.
In a hypothetical case, If an user wants to modify the build scripts in way to get thhis password file (ex: via simple batch file commands),
if the attacker / user get holds of the password file, what are the security issues we could for see?
- Can the attacker decrypt the password fairly easily?
- Could the attacker create try to run a JBE pointing to already running build engine ? Since to create new build engine in RTC, user need necessary privileges
What security measures could RTC admin's apply in this case? It isn't easy to even detect this in the first place.
Accepted answer
This knowledge base entry https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.team.build.doc%2Ftopics%2Ftcreatepasstxt.html duscusses the build toolkit password file. Note that it specifically states:
"The password file is not strongly encrypted. Any user with access to the file can potentially decrypt it. Set appropriate operating system file permissions on the password file to prevent access from anyone other than the user running the Jazz Build Engine and the Ant tasks. The main benefit of using a password file instead of the password command line argument (for the Jazz Build Engine) or password attribute (for Ant tasks) is to avoid the password being repeated in the clear in build scripts, and the shell history."
Once someone has the password for an account I would expect they can do anything that the account has privileges to do. As stated in the note above; the password file is provided to negate the need to expose a password in clear text in a build script etc.
"The password file is not strongly encrypted. Any user with access to the file can potentially decrypt it. Set appropriate operating system file permissions on the password file to prevent access from anyone other than the user running the Jazz Build Engine and the Ant tasks. The main benefit of using a password file instead of the password command line argument (for the Jazz Build Engine) or password attribute (for Ant tasks) is to avoid the password being repeated in the clear in build scripts, and the shell history."
Once someone has the password for an account I would expect they can do anything that the account has privileges to do. As stated in the note above; the password file is provided to negate the need to expose a password in clear text in a build script etc.