Add protection to disable Gitea when run as root (#17168)
Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: 6543 <6543@obermui.de>
This commit is contained in:
parent
4afdb1eb78
commit
f0bd1e9896
24
.drone.yml
24
.drone.yml
|
@ -207,8 +207,14 @@ steps:
|
||||||
commands:
|
commands:
|
||||||
- git update-ref refs/heads/tag_test ${DRONE_COMMIT_SHA}
|
- git update-ref refs/heads/tag_test ${DRONE_COMMIT_SHA}
|
||||||
|
|
||||||
|
- name: fix-permissions
|
||||||
|
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
||||||
|
commands:
|
||||||
|
- chown -R gitea:gitea .
|
||||||
|
|
||||||
- name: unit-test
|
- name: unit-test
|
||||||
image: golang:1.17
|
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- make unit-test-coverage test-check
|
- make unit-test-coverage test-check
|
||||||
environment:
|
environment:
|
||||||
|
@ -220,7 +226,8 @@ steps:
|
||||||
|
|
||||||
- name: unit-test-gogit
|
- name: unit-test-gogit
|
||||||
pull: always
|
pull: always
|
||||||
image: golang:1.17
|
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- make unit-test-coverage test-check
|
- make unit-test-coverage test-check
|
||||||
environment:
|
environment:
|
||||||
|
@ -232,6 +239,7 @@ steps:
|
||||||
|
|
||||||
- name: test-mysql
|
- name: test-mysql
|
||||||
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- make test-mysql-migration integration-test-coverage
|
- make test-mysql-migration integration-test-coverage
|
||||||
environment:
|
environment:
|
||||||
|
@ -246,6 +254,7 @@ steps:
|
||||||
|
|
||||||
- name: test-mysql8
|
- name: test-mysql8
|
||||||
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- timeout -s ABRT 40m make test-mysql8-migration test-mysql8
|
- timeout -s ABRT 40m make test-mysql8-migration test-mysql8
|
||||||
environment:
|
environment:
|
||||||
|
@ -259,6 +268,7 @@ steps:
|
||||||
|
|
||||||
- name: test-mssql
|
- name: test-mssql
|
||||||
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- make test-mssql-migration test-mssql
|
- make test-mssql-migration test-mssql
|
||||||
environment:
|
environment:
|
||||||
|
@ -343,9 +353,15 @@ steps:
|
||||||
exclude:
|
exclude:
|
||||||
- pull_request
|
- pull_request
|
||||||
|
|
||||||
|
- name: fix-permissions
|
||||||
|
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
|
||||||
|
commands:
|
||||||
|
- chown -R gitea:gitea .
|
||||||
|
|
||||||
- name: build
|
- name: build
|
||||||
pull: always
|
pull: always
|
||||||
image: golang:1.17
|
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- make backend
|
- make backend
|
||||||
environment:
|
environment:
|
||||||
|
@ -355,6 +371,7 @@ steps:
|
||||||
|
|
||||||
- name: test-sqlite
|
- name: test-sqlite
|
||||||
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
|
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- timeout -s ABRT 40m make test-sqlite-migration test-sqlite
|
- timeout -s ABRT 40m make test-sqlite-migration test-sqlite
|
||||||
environment:
|
environment:
|
||||||
|
@ -368,6 +385,7 @@ steps:
|
||||||
|
|
||||||
- name: test-pgsql
|
- name: test-pgsql
|
||||||
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
|
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
|
||||||
|
user: gitea
|
||||||
commands:
|
commands:
|
||||||
- timeout -s ABRT 40m make test-pgsql-migration test-pgsql
|
- timeout -s ABRT 40m make test-pgsql-migration test-pgsql
|
||||||
environment:
|
environment:
|
||||||
|
|
|
@ -902,6 +902,9 @@ func NewContext() {
|
||||||
}
|
}
|
||||||
|
|
||||||
RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername())
|
RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername())
|
||||||
|
// The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches.
|
||||||
|
// Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly.
|
||||||
|
unsafeAllowRunAsRoot := Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false)
|
||||||
RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod")
|
RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod")
|
||||||
// Does not check run user when the install lock is off.
|
// Does not check run user when the install lock is off.
|
||||||
if InstallLock {
|
if InstallLock {
|
||||||
|
@ -911,6 +914,15 @@ func NewContext() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check if we run as root
|
||||||
|
if os.Getuid() == 0 {
|
||||||
|
if !unsafeAllowRunAsRoot {
|
||||||
|
// Special thanks to VLC which inspired the wording of this messaging.
|
||||||
|
log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission")
|
||||||
|
}
|
||||||
|
log.Critical("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
|
||||||
|
}
|
||||||
|
|
||||||
SSH.BuiltinServerUser = Cfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser)
|
SSH.BuiltinServerUser = Cfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser)
|
||||||
|
|
||||||
newRepository()
|
newRepository()
|
||||||
|
|
Loading…
Reference in a new issue