On Tue, Apr 07, 2020 at 01:31:17PM +0200, Erik Skultety wrote:
> We're creating a dedicated user to run the gitlab agent, so why not
> store the agent within the user profile and execute it from there.
I'm wary of this as it seems like it can create a exploit vector.
ie malicious code running as the gitlab account can replace the
gitlab agent binary in its $HOME.
Shouldn't the binary be in /usr/local/bin and owned by root so
it is completely separated ?
>
> Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx>
> ---
> guests/playbooks/update/tasks/users.yml | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/guests/playbooks/update/tasks/users.yml b/guests/playbooks/update/tasks/users.yml
> index a07349f..4b09416 100644
> --- a/guests/playbooks/update/tasks/users.yml
> +++ b/guests/playbooks/update/tasks/users.yml
> @@ -70,3 +70,10 @@
> with_items:
> - profile
> - bash_logout
> +
> +- name: '{{ flavor }}: Create /home/{{ flavor }}/bin directory'
> + file:
> + path: /home/{{ flavor }}/bin
> + state: directory
> + owner: '{{ flavor }}'
> + group: '{{ flavor }}'
> --
> 2.25.1
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
