On Fri, 2020-04-03 at 09:21 +0200, Erik Skultety wrote: > On Tue, Mar 31, 2020 at 04:42:10PM +0200, Andrea Bolognani wrote: > > On Thu, 2020-03-26 at 14:33 +0100, Erik Skultety wrote: > > > +gitlab_runner_start() > > > +{ > > > + export USER=${user} > > > + export HOME=${user_home} > > > + export PATH=${PATH}:/usr/local/bin/:/usr/local/sbin/ > > > + if checkyesno ${rcvar}; then > > > + cd ${user_home} > > > + /usr/sbin/daemon -p ${pidfile} ${command} ${command_args} > /var/log/gitlab-runner.log 2>&1 > > > > The version in the official documentation does this a little > > differently... I guess the difference is that in their case the > > gitlab-runner application is running as the gitlab user, wereas in > > ours the daemon is running as root but is instructed to execute > > workloads as the gitlab user. The latter seems fine, as that's what > > happens on Linux as well, but have you fully considered the security > > implications? > > It is different because I wanted a unified behaviour on Linux and FreeBSD. > What security implications are you talking about, can you be more specific? The > machines are going to run behind a NAT, the daemon executing the service should > be trusted by default (otherwise, engage the tin foil hat mode), the gitlab > user doesn't have sudo permissions (and we should not trust this user), and in > later patches I setup a random root password, so that only access via an SSH > pub key to the root account is allowed. Alternatively, we could set up another > service user which will have sudo (not passwordless) access and will not run > any services, so that root isn't accessible over the network, would consider > that as suitable precaution measures? I trust gitlab-runner in the sense that I don't expect it to contain intentional backdoor, but not necessarily in the sense that I expect it to be entirely bug-free and impossible for an attacker to abuse as a compromise vector. With that in mind, running it as an unprivileged user right off the bat is obviously strictly safer than running it as root and delegating the privilege dropping part to it. Having the same behavior for both Linux and FreeBSD is certainly something that we should strive for, but can we make that behavior the safest one of the two? I have tested this, though not extensively, on Linux and adding User=gitlab to the service file seems to be basically all that's needed to make it work; for FreeBSD this setup is the one described in the official documentation, so I'm going to assume it's not going to cause any issues either. If we find that running gitlab-runner as an unprivileged user gets in the way we can certainly go back on this decision, but I would like to try and see if we can get the safest option to work first. -- Andrea Bolognani / Red Hat / Virtualization