On Tue, Apr 07, 2020 at 12:48:34PM +0100, Daniel P. Berrangé wrote:
On Tue, Apr 07, 2020 at 01:45:46PM +0200, Erik Skultety wrote:
On Tue, Apr 07, 2020 at 12:37:01PM +0100, Daniel P. Berrangé wrote:
On Tue, Apr 07, 2020 at 01:31:17PM +0200, Erik Skultety wrote:
We're creating a dedicated user to run the gitlab agent, so why not store the agent within the user profile and execute it from there.
I'm wary of this as it seems like it can create a exploit vector. ie malicious code running as the gitlab account can replace the gitlab agent binary in its $HOME.
Shouldn't the binary be in /usr/local/bin and owned by root so it is completely separated ?
That's what I've done in v1 (though not because of the possible attack vector you mention), but it was suggested to move it to user's $HOME [1]. [1] https://www.redhat.com/archives/libvir-list/2020-March/msg01424.html
I'll change it to the original version on my local branch.
Hmm, for that matter, we shouldn't store the config file in the /home/gitlab/.gitlab-runner directory either.
Yes, I'll make sure the config is under the default system location in /etc/gitlab-runner/ with read permissions for the gitlab user. Thanks, -- Erik Skultety