Jenkins SYSTEM user privilege escalation?
I’ve just set up some permissions for various users using the “Project-based Matrix Authorization Strategy” and Jenkins then tells me that
“Builds in Jenkins run as the virtual Jenkins SYSTEM user with full Jenkins permissions by default. This can be a problem if some users have restricted or no access to some jobs, but can configure others.”
Googling some I find this explained as that it “could allow users with access to configure and start one job to start builds of any other jobs using Pipeline Build Step Plugin.” Access Control for Builds
It seems Matrix authorization strategy plugin is quite standard among organizations that use Jenkins, that plugin is also actively maintained with the latest release being just 13h ago at the time of writing this. How can it be then that the authorizations set by this plugin is completely undermined by the use of Jenkins’ SYSTEM user and that in order to get that under control one needs to install an additional plugin which i seemingly no longer maintained: Authorize Project plugin. Latest release a year ago and listed as “up for adoption”.
Do people just disregard this issue? Or is the warning false? How does this fit together?
Thankful for any clarifying responses.