SOLVED

Security on Azure Devops Self Hosted agent

%3CLINGO-SUB%20id%3D%22lingo-sub-1579086%22%20slang%3D%22en-US%22%3ESecurity%20on%20Azure%20Devops%20Self%20Hosted%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579086%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%20I%20have%20discovered%20that%20is%20possible%20from%20the%20pipeline%20to%20deploy%20software%20directly%20on%20the%20agents%20without%20any%20kind%20of%20authentication%2C%20in%20my%20case%20I%20was%20able%20to%20deploy%20docker%20directly%20on%20a%20self-hosted%20agent%20by%20just%20using%20a%20bash%20script%20on%20the%20pipeline.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20deny%20this%20kind%20of%20deployments%20on%20a%20self-hosted%20agent%20from%20the%20pipeline%20without%20impacting%20any%20other%20deployments%2C%20pipelines%2C%20or%20releases%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20security%20perspective%2C%20it%20poses%20a%20risk%2C%20someone%20that%20has%20access%20to%20the%20pipelines%20deploy%20un-wanted%20software%20on%20an%20agent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1579086%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1964117%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20on%20Azure%20Devops%20Self%20Hosted%20agent%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1964117%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20essentially%20running%20the%20agent%20using%20a%20specific%20account%20(the%20one%20you%20used%20to%20install%20the%20agent).%20You%20will%20have%20to%20limit%20the%20permission%20of%20that%20account%20to%20disallow%20software%20installation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFelix.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello,

 

Today I have discovered that is possible from the pipeline to deploy software directly on the agents without any kind of authentication, in my case I was able to deploy docker directly on a self-hosted agent by just using a bash script on the pipeline.

 

Is it possible to deny this kind of deployments on a self-hosted agent from the pipeline without impacting any other deployments, pipelines, or releases?

 

From the security perspective, it poses a risk, someone that has access to the pipelines deploy un-wanted software on an agent.

 

 

1 Reply
best response confirmed by dparis (New Contributor)
Solution

You are essentially running the agent using a specific account (the one you used to install the agent). You will have to limit the permission of that account to disallow software installation.

 

Felix.