Re: [libvirt-jenkins-ci PATCH v2 2/6] guests: users: Create a bin/ directory in the flavor user's home
On Tue, Apr 07, 2020 at 12:37:01PM +0100, Daniel P. Berrangé wrote:
On Tue, Apr 07, 2020 at 01:31:17PM +0200, Erik Skultety wrote:
> We're creating a dedicated user to run the gitlab agent, so why not
> store the agent within the user profile and execute it from there.
I'm wary of this as it seems like it can create a exploit vector.
ie malicious code running as the gitlab account can replace the
gitlab agent binary in its $HOME.
Shouldn't the binary be in /usr/local/bin and owned by root so
it is completely separated ?
That's what I've done in v1 (though not because of the possible attack vector
you mention), but it was suggested to move it to user's $HOME [1].
[1] https://www.redhat.com/archives/libvir-list/2020-March/msg01424.html
I'll change it to the original version on my local branch.