On Tue, Apr 07, 2020 at 01:31:17PM +0200, Erik Skultety wrote:
We're creating a dedicated user to run the gitlab agent, so why not store the agent within the user profile and execute it from there.
I'm wary of this as it seems like it can create a exploit vector. ie malicious code running as the gitlab account can replace the gitlab agent binary in its $HOME. Shouldn't the binary be in /usr/local/bin and owned by root so it is completely separated ?
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- guests/playbooks/update/tasks/users.yml | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/guests/playbooks/update/tasks/users.yml b/guests/playbooks/update/tasks/users.yml index a07349f..4b09416 100644 --- a/guests/playbooks/update/tasks/users.yml +++ b/guests/playbooks/update/tasks/users.yml @@ -70,3 +70,10 @@ with_items: - profile - bash_logout + +- name: '{{ flavor }}: Create /home/{{ flavor }}/bin directory' + file: + path: /home/{{ flavor }}/bin + state: directory + owner: '{{ flavor }}' + group: '{{ flavor }}' -- 2.25.1
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|