Let users know when we've detected a potentially insecure configration
Description
There are many, many, many ways to configure GitLab Runner and some of those ways we know are insecure if used in the wrong context. For example, using the Shell executor in a shared environment gives anyone access to the underlying server that the runner is on. Similar concerns that are more nuanced can come up - using the docker-machine executor in a way that re-uses the ephemeral VMs can be insecure if you can't trust the people running jobs there. That's why we re-use ephemeral VMs on Runners for known GitLab internal jobs but not on the shared runners for everyone else.
The tricky thing our users have is being aware of this nuance. My estimate is that half of the security issues that get raised for the Runner end up being these cases where someone has configured the runner in a some-what insecure way and then exploited that.
Proposal
Conceptually inspired by the Linux Kernel's concept of tainted kernel, when the Runners config.toml
is loaded we should check it against a list of known potentially insecure settings (shell executor, docker-machine with reuse, etc) and if detected add a log message to the runners log saying something like:
Warning: Potentially insecure settings used. See https://docs.gitlab.com/runner/potentially-insecure/settings to learn more.
By doing it on config.toml
load, not on start-up, we would detect when an insecure setting was changed and picked up by a hot-reload. I would also suggest NOT logging when the opposite happens (removing the insecure setting) as it's too cumbersome and might create a false sense of security. If users want to use this as a validation they should stop and restart the runner and see that no warning appears.
This would require both the code change and also some more investment in the docs to provide, probably a table, of scenarios we're flagging which contain: the setting we're concerned about, why it can be a concern, and situations where it might be okay to keep using this setting.