arogarth.net

Gitlab Runner – and the silent devil inside

von

Martin
in

TL;DR: Gitlab runner on docker will checkout files with umask 000 – so every file writeable by all – also after packing and installing a package or tar-archive

I tried to build some Debian install packages using gitlab runner, docker based. It works well. After installation of the package, I wonder that the cronjob isn’t running. Review /var/log/syslog shows that the file in /etc/cron.d/ is writeable by user, group and … others. Change permissions and all works well.

Next Update of the Package, same thing again. Ok, check the repository, all is fine. Download the deb package and extract show that all files are read and writable by user, group and others – also executables which are placed in /usr/local/sbin and running as root.

Take a look at the build process

I put some ls -l into the build pipeline, and it shows that all files are writable to all after checkout from git. Ok, that’s not good – never noticed that before. I tested it to build a docker container, all permissions in the container are ok – it’s just on files on the running container.

After some research I found an issue for the gitlab docker runner: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/37304

And this documentation: https://gitlab.com/gitlab-org/ci-cd/runner-tools/base-images/-/blob/main/dockerfiles/runner-helper/scripts/gitlab-runner-build?ref_type=heads

In short words

By default, the gitlab docker runner is started with umask 000. This means that all created directories has permission 777 and all files has 666 – or 777 if it is executable file or script – for initializing, also for cloning the git repository. This is a high security risk!

The Script context after the container is started, umask is 022 – that’s fine. All created file during the build will have the right permissions.

  1. Runner starts with umask 000
  2. Project cloned into work directory of the container
  3. seems to switch to umask 022
  4. Build scripts are running

Setting the Flag FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR to true for the whole runner will fix the issue. I also had to clean up all orphaned and cached volumes on the runner host. After that, the permissions of all files are correct after build and install deb package.

Lessons learned: Know your enemy and always take control of your file after installation!