- man-in-the middle concerns
- between the TeamCity server and the user's web browser: It is advised to use HTTPS for the TeamCity server. During login, TeamCity transmits the user login password in an encrypted form with a moderate encryption level.
- between a TeamCity agent and the TeamCity server: see the section.
- between the TeamCity server and other external servers (version control, issue tracker, etc.): the general rules apply as for a client (the TeamCity server in the case) connecting to the external server, see the guidelines for the server in question.
- users that have access to the TeamCity web UI: the specific information accessible to the user is defined via TeamCity user roles.
- users who can change the code that is used in the builds run by TeamCity (including committers in any branches/pull requests if they are built on TeamCity):
- can do everything what can do the system user under whom the TeamCity agent is running, have access to OS resources and other applications installed on the agent machines where their builds can run.
- can access and change source code of other projects built on the same agent, modify the TeamCity agent code, publish any files as artifacts for the builds run on the agent (which means the files can be then displayed in the TeamCity web UI and expose web vulnerabilities or can be used in other builds), etc.
- can impersonate a TeamCity agent (run a new agent looking the same to the TeamCity server).
- can do everything that users with the "View build configuration settings" permission for all the projects on the server can do (see below).
- can retrieve settings of the build configurations where the builds are run, including the values of the password fields.
- can download artifacts from any build on the server.
HenseHence, it is advised to run TeamCity agents under users an OS account with only necessary set of permissions and use the agent pools feature to ensure that projects requiring a different set of access are not built on the same agents.
users with the "View build configuration settings" permission (the "Project developer" TeamCity role by default) can view all the projects on the server, but since TeamCity 9.0 there is a way to restrict this, see details in the corresponding issue TW-24904.
- users with the "Edit project" permission (the "Project Administrator" TeamCity role by default) in one project, by changing settings can retrieve artifacts and trigger builds from any build configuration they have only the view permission for (TW-39209). The users might also be able to make the TeamCity server run any executable located on the server.
- users with the "Change server settings" permission (the "System Administrator" TeamCity role by default): It is assumed that the users also have access to the computer on which the TeamCity server is running under the user account used to run the server process. Thus, the users can get full access to the machine under that OS user account: browse file system, change files, run arbitrary commands, etc.
- TeamCity server computer administrators: have full access to TeamCity stored data and can affect TeamCity executed processes. Passwords that are necessary to authenticate in external systems (like VCS, issue trackers, etc.) are stored in a scrambled form in TeamCity Data Directory and can also be stored in the database. However, the values are only scrambled, which means they can be retrieved by the users who have access to the server file system or database.
- Users who have read access for TeamCity server logs (TeamCity server home directory) can escalate their access to TeamCity server administrator
- Users who have read access to TeamCity Data Directory can access all the settings on the server, including configured passwords
- Users who have read access to the build artifacts in TeamCity Data Directory (<TeamCity Data Directory>\system\artifacts) get the same permissions as users with the "View build runtime parameters and data" permission (in particular, with access to the values of all the password parameters used in the build)
- TeamCity agent computer administrators: same as "users who can change code that is used in the builds run by TeamCity".
- It is recommended to establish projects separation between the agents, so that one TeamCity agent does not run builds whose developers and administrators should not get access to each other's projects. The recommended way to establish the separation is to use agent pools feature and make sure that the "Default" agent pool has no agents as a project can be assigned to the Default pool after certain reconfiguration (i.e. when there is no other pool the project is assigned to).
- When storing settings in VCS is enabled:
- any user who can access the settings repository (including users with "View file content" permission for the build configurations using the same VCS root) can see the settings and retrieve the actual passwords based on their stored scrambled form
- any user who can modify settings in VCS for a single build configuration built on the server, via changing settings can retrieve artifacts and trigger builds from any build configuration they have only view permission for (TW-39192).
- users who can customize build configuration settings on a per-build basis (e.g. one who can run personal builds when versioned settings are set to "use settings from VCS") via changing settings in a build can retrieve artifacts and trigger builds from any build configuration they have only view permission for (TW-46065).
- TeamCity web application vulnerabilities: the TeamCity development team makes a reasonable effort to fix any significant vulnerabilities (like cross-site scripting possibilities) once they are uncovered. Please note that any user that can affect build files ("users who can change code that is used in the builds run by TeamCity" or "TeamCity agent computer administrators") can make a malicious file available as a build artifact that will then exploit cross-site scripting vulnerability. (TW-27206)
- TeamCity agent is fully controlled by the TeamCity server: since TeamCity agents support automatic updates download from the server, agents should only connect to a trusted server. An administrator of the server computer can force execution of arbitrary code on a connected agent.
- Binaries of the agent plugins installed on the server are available to anyone who can access the server URL