Windows: Drop privileges after starting
Zendesk: https://gitlab.zendesk.com/agent/tickets/93017
Customer would like the ability to start the Runner as some user (probably System/Admin) and then have it drop privileges down to gitlab-runner
user. This would ensure that the configuration is loaded up from config.toml
while running as System/Admin and then the gitlab-runner
user could not read the config file - scripts executed by the runner would be unable to read secrets from the config.toml
.
There is an option to start runner as specified user https://docs.gitlab.com/runner/commands/#gitlab-runner-run, but it does not work on Windows: if one runs gitlab-runner run --working-directory C:\gitlab-runner --config C:\gitlab-runner\config.toml --service gitlab-runner --user gitlab-runner-user --syslog
without Administrative privileges, it fails with Access Denied
errors. If one runs this command as Administrator, jobs will be executed as Administrator, not as gitlab-runner-user.