Fix race condition during initial admin account creation

Pnkcaht · Pnkcaht · commit 03341708a848 · 2026-01-02T21:18:24.000-05:00
diff --git a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
@@ -356,25 +356,34 @@ private String getErrorMessages(SignupInfo si) {
         return messages.toString();
     }
 
+    /**
+     * Lock used to make initial admin account creation atomic.
+     */
+    private static final Object CREATE_FIRST_ACCOUNT_LOCK = new Object();
+
     /**
      * Creates a first admin user account.
      *
      * <p>
      * This can be run by anyone, but only to create the very first user account.
      */
     @RequirePOST
-    public void doCreateFirstAccount(StaplerRequest2 req, StaplerResponse2 rsp) throws IOException, ServletException {
-        if (hasSomeUser()) {
-            rsp.sendError(SC_UNAUTHORIZED, "First user was already created");
-            return;
-        }
-        User u = createAccount(req, rsp, false, "firstUser.jelly");
-        if (u != null) {
-            tryToMakeAdmin(u);
-            loginAndTakeBack(req, rsp, u);
+    public void doCreateFirstAccount(StaplerRequest2 req, StaplerResponse2 rsp)
+            throws IOException, ServletException {
+        synchronized (CREATE_FIRST_ACCOUNT_LOCK) {
+            if (hasSomeUser()) {
+                rsp.sendError(SC_UNAUTHORIZED, "First user was already created");
+                return;
+            }
+            User u = createAccount(req, rsp, false, "firstUser.jelly");
+            if (u != null) {
+                tryToMakeAdmin(u);
+                loginAndTakeBack(req, rsp, u);
+            }
         }
     }
 
+
     /**
      * Try to make this user a super-user
      */
