Ability to turn on/off running umask 0000 command for Kubernetes executor
Description
Helper image executes umask 0000
which results in 777 for directory permissions and 666 for file permissions. This makes all directories and files in the build container writable by anyone and is not best practice.
Proposal
This proposal is to add a new feature flag similar to FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR
to give ability to not run umask 0000
. Instead, when the flag is on, in the build container change the ownership of working directory to UID and GID that belongs to the user defined with USER
directive in the build image.
Additional context
The code in https://gitlab.com/gitlab-org/gitlab-runner/-/blob/511bf632bf402d92c9621625b2186cbc3b68752d/executors/docker/docker_command.go#L212-244 essentially:
- Inspects what user/group is used with the image
- Runs
chown
on the project dir with that image
Links to related issues and merge requests / references
Edited by Darren Eastman