what would be a better practice instead of chmod g+r /etc/shadow so I can use Unix user/group database for Jenkins authentication?

MauricioOtta asked:

I don’t want to run Jenkins as root, nor giving public access (or even group access) to /etc/shadow seems to a good idea.

as suggested by “Manage Jenkins” when selecting Linux user/group database:
“Either Jenkins needs to run as root or User ‘httpd’ needs to belong to group root and ‘chmod g+r /etc/shadow’ needs to be done to enable Jenkins to read /etc/shadow”

From a security stand point what would be the best practice while running Jenkins and still being able to perform some tasks as a super user (in case my jobs need that)

My answer:

A better practice would be to use the pwauth plugin, which lets you run jenkins as a non-root user, and only pwauth itself needs to be setuid root to perform the actual authentication.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.