diff options
author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-01-13 14:57:15 +0300 |
---|---|---|
committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2022-01-13 17:45:32 +0300 |
commit | 889450266229bf8ad39f19e4dd7d70abe67303e5 (patch) | |
tree | 0a37e548bbcab4fcfc2c2f3a11f73621e9f108d3 /.gitlab-ci.yml | |
parent | dbbca37ccd57f4022df880f0a8399689f080c5b3 (diff) |
ci: Run tests as unprivileged user
The CI tests are currently running as "root" user. It goes without
saying that this user has special privileges that other users are
lacking, and that in turn means that a test run as root may not reflect
what would happen when it were run as a normal user. Most importantly,
root users have the CAP_DAC_OVERRIDE capability, which allows them to
ovverride permission bits of files and directories. This means that they
can open a directory that's lacking the executable-bit, read a file
that's missing its readable-bit or write a file that's missing its
writeable-bit. And sure enough, we have such a test where we rely on
this behaviour.
Let's improve the situation by running tests as unprivileged user. This
both ensures that we never write data into the source directory (all
data should be written into temporary directories, only), and that we do
not have any capabilities which override the basic workings of a Unix
system.
Diffstat (limited to '.gitlab-ci.yml')
-rw-r--r-- | .gitlab-ci.yml | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 149b4cd2a..38a6a4133 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -157,16 +157,17 @@ build:binaries: test: <<: *test_definition script: - # This command will make all directories except of our build directory and Ruby code unwritable. - # The purpose is to verify that there is no test which writes into those directories anymore, as - # they should all instead use a temporary directory for runtime data. - - find . -type d \( -path ./_build -o -path ./ruby \) -prune -o -type d -exec chmod a-w {} \; # If we're testing with bundled Git, then we don't want to have the Git # installation around. Otherwise, Git would be able to resolve its binaries # by just looking at its own GIT_PREFIX and then pick binaries from that # installation directory. - if test -n "${WITH_BUNDLED_GIT}"; then rm -rf _build/deps/git/install; fi - - make ${TARGET} + # We need to prepare test dependencies as privileged user. + - make build prepare-tests + # But the actual tests should run unprivileged. This assures that we pay + # proper attention to permission bits and that we don't modify the source + # directory. + - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease parallel: matrix: # These definitions are for the non-default Git versions. @@ -234,7 +235,8 @@ test:nightly: <<: *test_definition script: - go version - - make all ${TARGET} + - make build prepare-tests + - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease parallel: matrix: - GIT_VERSION: [ "master", "next" ] |