Skip to content

Commit

Permalink
Add protection to disable Gitea when run as root (go-gitea#17168)
Browse files Browse the repository at this point in the history
Co-authored-by: delvh <[email protected]>
Co-authored-by: 6543 <[email protected]>
  • Loading branch information
3 people authored Oct 7, 2021
1 parent 4afdb1e commit f0bd1e9
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 3 deletions.
24 changes: 21 additions & 3 deletions .drone.yml
Original file line number Diff line number Diff line change
Expand Up @@ -207,8 +207,14 @@ steps:
commands:
- git update-ref refs/heads/tag_test ${DRONE_COMMIT_SHA}

- name: fix-permissions
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
commands:
- chown -R gitea:gitea .

- name: unit-test
image: golang:1.17
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- make unit-test-coverage test-check
environment:
Expand All @@ -220,7 +226,8 @@ steps:

- name: unit-test-gogit
pull: always
image: golang:1.17
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- make unit-test-coverage test-check
environment:
Expand All @@ -232,6 +239,7 @@ steps:

- name: test-mysql
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- make test-mysql-migration integration-test-coverage
environment:
Expand All @@ -246,6 +254,7 @@ steps:

- name: test-mysql8
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- timeout -s ABRT 40m make test-mysql8-migration test-mysql8
environment:
Expand All @@ -259,6 +268,7 @@ steps:

- name: test-mssql
image: gitea/test_env:linux-amd64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- make test-mssql-migration test-mssql
environment:
Expand Down Expand Up @@ -343,9 +353,15 @@ steps:
exclude:
- pull_request

- name: fix-permissions
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
commands:
- chown -R gitea:gitea .

- name: build
pull: always
image: golang:1.17
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- make backend
environment:
Expand All @@ -355,6 +371,7 @@ steps:

- name: test-sqlite
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- timeout -s ABRT 40m make test-sqlite-migration test-sqlite
environment:
Expand All @@ -368,6 +385,7 @@ steps:

- name: test-pgsql
image: gitea/test_env:linux-arm64 # https://gitea.com/gitea/test-env
user: gitea
commands:
- timeout -s ABRT 40m make test-pgsql-migration test-pgsql
environment:
Expand Down
12 changes: 12 additions & 0 deletions modules/setting/setting.go
Original file line number Diff line number Diff line change
Expand Up @@ -902,6 +902,9 @@ func NewContext() {
}

RunUser = Cfg.Section("").Key("RUN_USER").MustString(user.CurrentUsername())
// The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches.
// Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly.
unsafeAllowRunAsRoot := Cfg.Section("").Key("I_AM_BEING_UNSAFE_RUNNING_AS_ROOT").MustBool(false)
RunMode = Cfg.Section("").Key("RUN_MODE").MustString("prod")
// Does not check run user when the install lock is off.
if InstallLock {
Expand All @@ -911,6 +914,15 @@ func NewContext() {
}
}

// check if we run as root
if os.Getuid() == 0 {
if !unsafeAllowRunAsRoot {
// Special thanks to VLC which inspired the wording of this messaging.
log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission")
}
log.Critical("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
}

SSH.BuiltinServerUser = Cfg.Section("server").Key("BUILTIN_SSH_SERVER_USER").MustString(RunUser)

newRepository()
Expand Down

0 comments on commit f0bd1e9

Please sign in to comment.