From 9137b0ca249f4058ded4fad6643564543d614d6f Mon Sep 17 00:00:00 2001 From: Matti R Date: Mon, 27 Sep 2021 23:44:18 -0400 Subject: [PATCH 01/11] Add protection to disable Gitea when run as root --- modules/setting/setting.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index afd1e49aed07f..a1b4308debf0d 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -898,6 +898,9 @@ func NewContext() { } RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername()) + // The following an unsafe option, purposely left out of documentation. Please do not run Gitea as root. It will only cause future headaches. + // Please don't use root as a bandaid to "fix" something that is brokenn, instead the broken thing should instead be fixed properly. + UnsafeAllowRunAsRoot = Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false) RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod") // Does not check run user when the install lock is off. if InstallLock { @@ -907,6 +910,14 @@ func NewContext() { } } + if RunUser == "root" && !UnsafeAllowRunAsRoot { + if !UnsafeAllowRunAsRoot { + // Special thanks to VLC which inspired the wording of this messaging. + log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission") + } + log.Warn("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.") + } + SSH.BuiltinServerUser = Cfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser) newRepository() From 9834049d2f668eef353648d77f5fb59645ab2501 Mon Sep 17 00:00:00 2001 From: Matti R Date: Tue, 28 Sep 2021 00:11:38 -0400 Subject: [PATCH 02/11] placate lint --- modules/setting/setting.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index a1b4308debf0d..e393c3eb50e30 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -900,7 +900,7 @@ func NewContext() { RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername()) // The following an unsafe option, purposely left out of documentation. Please do not run Gitea as root. It will only cause future headaches. // Please don't use root as a bandaid to "fix" something that is brokenn, instead the broken thing should instead be fixed properly. - UnsafeAllowRunAsRoot = Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false) + unsafeAllowRunAsRoot = Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false) RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod") // Does not check run user when the install lock is off. if InstallLock { @@ -910,10 +910,10 @@ func NewContext() { } } - if RunUser == "root" && !UnsafeAllowRunAsRoot { - if !UnsafeAllowRunAsRoot { + if RunUser == "root" { + if !unsafeAllowRunAsRoot { // Special thanks to VLC which inspired the wording of this messaging. - log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission") + log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission") } log.Warn("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.") } From 4c6e567eabbea3cc0d59ff3e3c55a32118732236 Mon Sep 17 00:00:00 2001 From: Matti R Date: Tue, 28 Sep 2021 00:19:39 -0400 Subject: [PATCH 03/11] woops, this isn't an exsting var --- modules/setting/setting.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index e393c3eb50e30..6d3fba7528dbd 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -900,7 +900,7 @@ func NewContext() { RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername()) // The following an unsafe option, purposely left out of documentation. Please do not run Gitea as root. It will only cause future headaches. // Please don't use root as a bandaid to "fix" something that is brokenn, instead the broken thing should instead be fixed properly. - unsafeAllowRunAsRoot = Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false) + unsafeAllowRunAsRoot := Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false) RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod") // Does not check run user when the install lock is off. if InstallLock { From 45db44cfc6a89eb7abf5752d57914ed8111dc1b0 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Tue, 28 Sep 2021 12:23:59 -0400 Subject: [PATCH 04/11] Update modules/setting/setting.go Co-authored-by: delvh --- modules/setting/setting.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 6d3fba7528dbd..9e397f8d09f17 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -899,7 +899,7 @@ func NewContext() { RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername()) // The following an unsafe option, purposely left out of documentation. Please do not run Gitea as root. It will only cause future headaches. - // Please don't use root as a bandaid to "fix" something that is brokenn, instead the broken thing should instead be fixed properly. + // Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly. unsafeAllowRunAsRoot := Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false) RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod") // Does not check run user when the install lock is off. From 8c3c6d6d426bf821c859682c7b178471ad4ec965 Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Tue, 28 Sep 2021 12:24:07 -0400 Subject: [PATCH 05/11] Update modules/setting/setting.go Co-authored-by: delvh --- modules/setting/setting.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 9e397f8d09f17..7d3053e22727f 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -898,7 +898,7 @@ func NewContext() { } RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername()) - // The following an unsafe option, purposely left out of documentation. Please do not run Gitea as root. It will only cause future headaches. + // The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches. // Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly. unsafeAllowRunAsRoot := Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false) RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod") From cbe7f2ea5c4be9d74518ee7d9ce451558d8ea862 Mon Sep 17 00:00:00 2001 From: Matti R Date: Tue, 28 Sep 2021 12:48:28 -0400 Subject: [PATCH 06/11] update drone to use non-root user --- .drone.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.drone.yml b/.drone.yml index 7be296fa5f1c1..b4ac6eefadbc7 100644 --- a/.drone.yml +++ b/.drone.yml @@ -209,6 +209,7 @@ steps: - name: unit-test image: golang:1.17 + user: gitea commands: - make unit-test-coverage test-check environment: @@ -221,6 +222,7 @@ steps: - name: unit-test-gogit pull: always image: golang:1.17 + user: gitea commands: - make unit-test-coverage test-check environment: @@ -232,6 +234,7 @@ steps: - name: test-mysql image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env + user: gitea commands: - make test-mysql-migration integration-test-coverage environment: @@ -246,6 +249,7 @@ steps: - name: test-mysql8 image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env + user: gitea commands: - timeout -s ABRT 40m make test-mysql8-migration test-mysql8 environment: @@ -259,6 +263,7 @@ steps: - name: test-mssql image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env + user: gitea commands: - make test-mssql-migration test-mssql environment: @@ -355,6 +360,7 @@ steps: - name: test-sqlite image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env + user: gitea commands: - timeout -s ABRT 40m make test-sqlite-migration test-sqlite environment: @@ -368,6 +374,7 @@ steps: - name: test-pgsql image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env + user: gitea commands: - timeout -s ABRT 40m make test-pgsql-migration test-pgsql environment: From 717f54ca22328356daa5c4280b983a072a63e17e Mon Sep 17 00:00:00 2001 From: Matti R Date: Tue, 28 Sep 2021 22:23:43 -0400 Subject: [PATCH 07/11] not all steps have custom image --- .drone.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.drone.yml b/.drone.yml index b4ac6eefadbc7..db90f29186b91 100644 --- a/.drone.yml +++ b/.drone.yml @@ -209,7 +209,6 @@ steps: - name: unit-test image: golang:1.17 - user: gitea commands: - make unit-test-coverage test-check environment: @@ -222,7 +221,6 @@ steps: - name: unit-test-gogit pull: always image: golang:1.17 - user: gitea commands: - make unit-test-coverage test-check environment: From ad3c03ea47736af5f29351a1d51a07a299473233 Mon Sep 17 00:00:00 2001 From: Matti R Date: Tue, 28 Sep 2021 22:29:24 -0400 Subject: [PATCH 08/11] not all steps have custom image --- .drone.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.drone.yml b/.drone.yml index db90f29186b91..2ea0133f4cd3e 100644 --- a/.drone.yml +++ b/.drone.yml @@ -208,7 +208,8 @@ steps: - git update-ref refs/heads/tag_test ${DRONE_COMMIT_SHA} - name: unit-test - image: golang:1.17 + image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env + user: gitea commands: - make unit-test-coverage test-check environment: @@ -220,7 +221,8 @@ steps: - name: unit-test-gogit pull: always - image: golang:1.17 + image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env + user: gitea commands: - make unit-test-coverage test-check environment: @@ -348,7 +350,8 @@ steps: - name: build pull: always - image: golang:1.17 + image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env + user: gitea commands: - make backend environment: From 4fd6aa313a95ef9b917f276cb5ba74095396d61f Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Wed, 6 Oct 2021 01:29:03 +0200 Subject: [PATCH 09/11] Critical --- modules/setting/setting.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 0dc98bc64a1ce..946c20db21855 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -919,7 +919,7 @@ func NewContext() { // Special thanks to VLC which inspired the wording of this messaging. log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission") } - log.Warn("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.") + log.Critical("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.") } SSH.BuiltinServerUser = Cfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser) From 58681698e8f92ae48724b0f2309d7263f55a5601 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Wed, 6 Oct 2021 01:41:00 +0200 Subject: [PATCH 10/11] use uid --- modules/setting/setting.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 946c20db21855..2133184cfc40d 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -914,7 +914,8 @@ func NewContext() { } } - if RunUser == "root" { + // check if we run as root + if os.Getuid() == 0 { if !unsafeAllowRunAsRoot { // Special thanks to VLC which inspired the wording of this messaging. log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission") From 958400140cfd2fdc186351d41ff1fb013b1d22ac Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Thu, 7 Oct 2021 10:31:00 +0200 Subject: [PATCH 11/11] add "fix-permissions" --- .drone.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.drone.yml b/.drone.yml index f914be16b0c29..a24f4c621e718 100644 --- a/.drone.yml +++ b/.drone.yml @@ -207,6 +207,11 @@ steps: commands: - git update-ref refs/heads/tag_test ${DRONE_COMMIT_SHA} + - name: fix-permissions + image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env + commands: + - chown -R gitea:gitea . + - name: unit-test image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env user: gitea @@ -348,6 +353,11 @@ steps: exclude: - pull_request + - name: fix-permissions + image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env + commands: + - chown -R gitea:gitea . + - name: build pull: always image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env