search

buildkite / docker-buildkite-agent

Previous home of buildkite/agent docker image scripts
26 stars 14 forks source link

Run the buildkite daemon as a non-root user, buildkite-agent #18

Closed lox closed 7 years ago

lox commented 8 years ago

Dropping privileges of the buildkite-agent provides some extra level of protection against third-party code being executed by the agent.

dkubb commented 8 years ago

OT but should https://buildkite.com/buildkite/docker-buildkite-agent/ be publicly visible?

dkubb commented 8 years ago

@lox did you mean to commit changes to scripts/build.sh in this PR?

Also, as a test I ran scripts/build.sh through http://www.shellcheck.net/ and it flagged several things. Do you want me to report it as a separate issue? (or does it not matter? I'm not sure about your internal coding guidelines)

dkubb commented 8 years ago

I found another problem with this docker container. Specifically the buildkite user's .ssh directory is not executable so the buidkite user can't access it to append to ~/.ssh/known_hosts, which it does when pulling down a repo from github, eg:

$ ls -al /home/buildkite/
total 12
drwxr-sr-x    3 buildkit buildkit      4096 Jan 15 19:53 .
drwxr-xr-x    4 root     root          4096 Jan 15 19:53 ..
drw-------    2 buildkit buildkit      4096 Jan 15 19:53 .ssh

It looks like this is cause by the ssh-env-config.sh script setting the directory explicitly to 0600: https://github.com/buildkite/docker-ssh-env-config/blob/master/ssh-env-config.sh#L17

This probably never caused any issues before when running everything as root, but it would affect the buildkite user.

dkubb commented 8 years ago

It looks like this is cause by the ssh-env-config.sh script setting the directory explicitly to 0600

I created a pull request to fix this at: https://github.com/buildkite/docker-ssh-env-config/pull/1

lox commented 8 years ago

Ooops, I didn't mean to commit the build.sh changes, no.

RE: shellcheck, I get those in my IDE, and AFAIK I've deal with any that aren't spurious (like unquoted $@).

lox commented 8 years ago

Hrm. I wonder how this should work with docker-in-docker, as the buildkite-agent user would need to be in the docker group, which is effectively root. Thoughts @dkubb?

lox commented 8 years ago

This is ready to go pending review @toolmantim

toolmantim commented 8 years ago

:+1: Looks good, let's do it. Thanks for figuring out the magic sudo incantations and handling 1.8, 1.9 and DIND!

lox commented 8 years ago

@dkubb any feedback on this?

toolmantim commented 8 years ago

is this still a thing?

lox commented 8 years ago

It is, yeah, I'm a bit nervous about what effect it will have though. I'll rebase and get it perhaps into some experimental images.