gitlab
/
omnibus-gitlab
mirror of https://gitlab.com/gitlab-org/omnibus-gitlab.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'wrapper-no-double-privilege-drop' into 'master' 

Avoid privilege drop when already unprivileged

If I am 'git' or 'gitlab-ci' I should be able to run e.g. 'gitlab-rake'
without sudo. This make life a little easier in environments where admin
access to the 'git' user account is allowed, but root access is not.

See merge request !328
This commit is contained in:
Marin Jankovski 2015-06-08 08:37:29 +00:00
parent e5455471d9 20752c2b25
commit 4d4e3702ff
2 changed files with 36 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
config/templates/gitlab-ci/bundle_exec_wrapper.erb
View File

@ -1,9 +1,15 @@
#!/bin/sh
error_echo()
{
echo "$1" 2>& 1
}
gitlab_ci_rc='<%= install_dir %>/etc/gitlab-ci/gitlab-ci-rc'
if ! [ -f ${gitlab_ci_rc} ] ; then
echo "$0 error: could not load ${gitlab_ci_rc}" 2>& 1
echo "You can generate it with: sudo gitlab-ctl reconfigure" 2>& 1
error_echo "$0 error: could not load ${gitlab_ci_rc}"
error_echo "Either you are not allowed to read the file, or it does not exist yet."
error_echo "You can generate it with: sudo gitlab-ctl reconfigure"
exit 1
fi
@ -11,4 +17,13 @@ fi
cd <%= install_dir %>/embedded/service/gitlab-ci
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-ci/env -u ${gitlab_ci_user} -U ${gitlab_ci_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>
if [ "$(id -n -u)" = "${gitlab_ci_user}" ] ; then
# We are already running at the intended privilege; don't try to drop
# privileges again because only root can do that (and we are apparently not
# root!).
privilege_drop=''
else
privilege_drop="-u ${gitlab_ci_user}"
fi
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-ci/env ${privilege_drop} -U ${gitlab_ci_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>

21
config/templates/gitlab-rails/bundle_exec_wrapper.erb
View File

@ -1,9 +1,15 @@
#!/bin/sh
error_echo()
{
echo "$1" 2>& 1
}
gitlab_rails_rc='<%= install_dir %>/etc/gitlab-rails/gitlab-rails-rc'
if ! [ -f ${gitlab_rails_rc} ] ; then
echo "$0 error: could not load ${gitlab_rails_rc}" 2>& 1
echo "You can generate it with: sudo gitlab-ctl reconfigure" 2>& 1
error_echo "$0 error: could not load ${gitlab_rails_rc}"
error_echo "Either you are not allowed to read the file, or it does not exist yet."
error_echo "You can generate it with: sudo gitlab-ctl reconfigure"
exit 1
fi
@ -11,4 +17,13 @@ fi
cd <%= install_dir %>/embedded/service/gitlab-rails
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-rails/env -u ${gitlab_user} -U ${gitlab_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>
if [ "$(id -n -u)" = "${gitlab_user}" ] ; then
# We are already running at the intended privilege; don't try to drop
# privileges again because only root can do that (and we are apparently not
# root!).
privilege_drop=''
else
privilege_drop="-u ${gitlab_user}"
fi
exec <%= install_dir %>/embedded/bin/chpst -e <%= install_dir %>/etc/gitlab-rails/env ${privilege_drop} -U ${gitlab_user} <%= install_dir %>/embedded/bin/bundle exec <%= command %>