The documentation suggests macOS users to place runner config files in a public folder shared between multiple users
HackerOne report #2189299 by ricardobrito
on 2023-10-02, assigned to GitLab Team
:
Report | Attachments | How To Reproduce
Report
Hi team
Summary
The following documentation section contains instructions for users installing a gitlab runner in a docker container using local system volume mounts to start the runer container. However it suggests Mac os users to use a puclib folder to place the runner's configuration file, which is a bad idea in a multi-user environment
Problem Description
According to the documentation:
The problem here is this note:
On macOS, use /Users/Shared instead of /srv.
On macOS systems, the /Users/Shared
folder is used for placing files that can be shared across multiple users of the system, and the documentation is suggesting macOS users to place the runner config file in this folder. This is a problem because if the guest user on macOS is enabled (or there are any other user accounts in the macOS system), he could also access this file and since this file contains the runner token it would be leaked to that user.
On macOS systems to make a file available to all users of the Mac, all we need to do is place it in the /Users/Shared
folder.
After I follow the suggestion in the documentation, my runner config file is located in /Users/Shared/gitlab-runner/config/config.toml
folder, and as you can see, the file contains the token:
[REDACTED]
In a multi-user environment, another user could navigate to this folder, open the configuration file and access my runner token.
Possible Solutions
I suggest a documentation update to suggest a different folder rather than the /Users/Shared
folder to store runner configuration files.
Impact
The documentation suggests macOS users to place runner config files in a public folder, but this is bad since the folder is shared across all users of the macOS system, which would cause the runner token to be leaked to other users.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
[REDACTED]
How To Reproduce
Please add reproducibility information to this section: