1Kas
Is everybody aware that GitLab CI+docker-executor produces world-writable files?
This is a question for feedback, to find if the problem has a widespread impact.
Situation:
When using GitLab CI with the docker-executor, the 'git clone' of the repository in use is done with umask 0000,
This effectively makes all cloned content world-writable.
Shipping these files as-is (in docker images for example) can potentially create huge security issues, depending on the piece software.
At least in our case, the workflow GitLab CI -> docker-executor -> build and upload docker image from repo is the predominant thing we do and we ended up with docker images containing world-writable code.
When researching the issue, we found:
- That it's around since late 2015 and that virtually nobody is talking about it
- That there is feature flag to disable this (FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR) since late 2020 but nobody is talking about that either
This leaves us with 3...
Question(s):
- Is nobody using GitLab like this?
- Is everybody always chmod-ing all content from the repositories / in the output?
- Is there a load of software distributions with world-writable code?
