Merge branch 'wrapper-no-double-privilege-drop' into 'master'
Avoid privilege drop when already unprivileged If I am 'git' or 'gitlab-ci' I should be able to run e.g. 'gitlab-rake' without sudo. This make life a little easier in environments where admin access to the 'git' user account is allowed, but root access is not. See merge request !328
This commit is contained in:
commit
4d4e3702ff
|
@ -1,9 +1,15 @@
|
|||
#!/bin/sh
|
||||
|
||||
error_echo()
|
||||
{
|
||||
echo "$1" 2>& 1
|
||||
}
|
||||
|
||||
gitlab_ci_rc='<%= install_dir %>/etc/gitlab-ci/gitlab-ci-rc'
|
||||
if ! [ -f ${gitlab_ci_rc} ] ; then
|
||||
echo "$0 error: could not load ${gitlab_ci_rc}" 2>& 1
|
||||
echo "You can generate it with: sudo gitlab-ctl reconfigure" 2>& 1
|
||||
error_echo "$0 error: could not load ${gitlab_ci_rc}"
|
||||
error_echo "Either you are not allowed to read the file, or it does not exist yet."
|
||||
error_echo "You can generate it with: sudo gitlab-ctl reconfigure"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
@ -11,4 +17,13 @@ fi
|
|||
|
||||
cd <%= install_dir %>/embedded/service/gitlab-ci
|
||||
|
||||
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-ci/env -u ${gitlab_ci_user} -U ${gitlab_ci_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>
|
||||
if [ "$(id -n -u)" = "${gitlab_ci_user}" ] ; then
|
||||
# We are already running at the intended privilege; don't try to drop
|
||||
# privileges again because only root can do that (and we are apparently not
|
||||
# root!).
|
||||
privilege_drop=''
|
||||
else
|
||||
privilege_drop="-u ${gitlab_ci_user}"
|
||||
fi
|
||||
|
||||
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-ci/env ${privilege_drop} -U ${gitlab_ci_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>
|
||||
|
|
|
@ -1,9 +1,15 @@
|
|||
#!/bin/sh
|
||||
|
||||
error_echo()
|
||||
{
|
||||
echo "$1" 2>& 1
|
||||
}
|
||||
|
||||
gitlab_rails_rc='<%= install_dir %>/etc/gitlab-rails/gitlab-rails-rc'
|
||||
if ! [ -f ${gitlab_rails_rc} ] ; then
|
||||
echo "$0 error: could not load ${gitlab_rails_rc}" 2>& 1
|
||||
echo "You can generate it with: sudo gitlab-ctl reconfigure" 2>& 1
|
||||
error_echo "$0 error: could not load ${gitlab_rails_rc}"
|
||||
error_echo "Either you are not allowed to read the file, or it does not exist yet."
|
||||
error_echo "You can generate it with: sudo gitlab-ctl reconfigure"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
@ -11,4 +17,13 @@ fi
|
|||
|
||||
cd <%= install_dir %>/embedded/service/gitlab-rails
|
||||
|
||||
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-rails/env -u ${gitlab_user} -U ${gitlab_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>
|
||||
if [ "$(id -n -u)" = "${gitlab_user}" ] ; then
|
||||
# We are already running at the intended privilege; don't try to drop
|
||||
# privileges again because only root can do that (and we are apparently not
|
||||
# root!).
|
||||
privilege_drop=''
|
||||
else
|
||||
privilege_drop="-u ${gitlab_user}"
|
||||
fi
|
||||
|
||||
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-rails/env ${privilege_drop} -U ${gitlab_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>
|
||||
|
|
Loading…
Reference in New Issue