Re: [libvirt-jenkins-ci PATCH v2 2/6] guests: users: Create a bin/ directory in the flavor user's home

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 07, 2020 at 01:31:17PM +0200, Erik Skultety wrote:
> We're creating a dedicated user to run the gitlab agent, so why not
> store the agent within the user profile and execute it from there.

I'm wary of this as it seems like it can create a exploit vector.
ie malicious code running as the gitlab account can replace the
gitlab agent binary in its $HOME.

Shouldn't the binary be in /usr/local/bin and owned by root so
it is completely separated  ?

> 
> Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx>
> ---
>  guests/playbooks/update/tasks/users.yml | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/guests/playbooks/update/tasks/users.yml b/guests/playbooks/update/tasks/users.yml
> index a07349f..4b09416 100644
> --- a/guests/playbooks/update/tasks/users.yml
> +++ b/guests/playbooks/update/tasks/users.yml
> @@ -70,3 +70,10 @@
>    with_items:
>      - profile
>      - bash_logout
> +
> +- name: '{{ flavor }}: Create /home/{{ flavor }}/bin directory'
> +  file:
> +    path: /home/{{ flavor }}/bin
> +    state: directory
> +    owner: '{{ flavor }}'
> +    group: '{{ flavor }}'
> -- 
> 2.25.1
> 

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|





[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux