Re: [libvirt-jenkins-ci PATCH v2 2/6] guests: users: Create a bin/ directory in the flavor user's home
On Tue, Apr 07, 2020 at 01:31:17PM +0200, Erik Skultety wrote:
We're creating a dedicated user to run the gitlab agent, so why
not
store the agent within the user profile and execute it from there.
I'm wary of this as it seems like it can create a exploit vector.
ie malicious code running as the gitlab account can replace the
gitlab agent binary in its $HOME.
Shouldn't the binary be in /usr/local/bin and owned by root so
it is completely separated ?
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
guests/playbooks/update/tasks/users.yml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/guests/playbooks/update/tasks/users.yml
b/guests/playbooks/update/tasks/users.yml
index a07349f..4b09416 100644
--- a/guests/playbooks/update/tasks/users.yml
+++ b/guests/playbooks/update/tasks/users.yml
@@ -70,3 +70,10 @@
with_items:
- profile
- bash_logout
+
+- name: '{{ flavor }}: Create /home/{{ flavor }}/bin directory'
+ file:
+ path: /home/{{ flavor }}/bin
+ state: directory
+ owner: '{{ flavor }}'
+ group: '{{ flavor }}'
--
2.25.1
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|