option to run gitlab-runner as non-root user
The gitlab-runner runs as root in a container and that should be configurable. According to the closed issue #263 (closed), this is made on purpose to make it simpler to manage service, make only daemon privilege to read /etc/gitlab-runner/config.toml and allow out of box support for Docker (if installed) and not expose it to shell executor.
But we would like to adhere to the principle of least privilege. I can not find a reason to run docker-runner as root, other than out of the box support for docker. But if you do use docker executers? If you run kubernetes? There is no need to run as root.
Also here is well explained why running is root is not a good idea. https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
[root@0659bb5d82b3 /]# ps auxw USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 164 4 ? Ss Feb27 0:00 /usr/bin/dumb-init /entrypoint run --user=gitlab-runner --working- root 5 0.1 0.0 61412 11648 ? Ssl Feb27 58:41 gitlab-runner run --user=gitlab-runner --working-directory=/home/g root 13 0.6 0.0 11764 1832 ? Ss 16:29 0:00 bash root 24 0.0 0.0 47416 1656 ? R+ 16:29 0:00 ps auxw
I would like to propose a 'user' value in the global section of the GitLab Runner configuration which defaults to 'root' as which the gitlab-runner process needs to run. Out of the box, docker executers keep working.