You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Gitea act_runner is TERRIBLY INSECURE, it allows all job containers to:
access the docker daemon on host via the socket.
bind host directories into the container.
This allows any job to escape from the container and easily get root privileges on the runner host. Jobs are basically untrusted code so they have to be isolated correctly.
Some ways of how you can escape the container using docker.sock include:
starting a privileged container
using host namespaces
using a bind mount to host directory to overwrite system files
It may be rather OK for act itself because it's only a local testing tool, but for act_runner it's a real blocker.
You should forbid bind mounts in job descriptions (named volumes are probably ok) and remove docker socket access. The latter will probably break docker-related steps, so for them you'll have to use DinD or newer tools like Kaniko or Buildah/Podman.
I like Gitea and I use it for a long time so probably I'll try to patch and test it on my server and submit a PR, but anyway, in the current state Gitea Actions SHOULD NOT be used in production.
Gitea Version
1.19.1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Official linux amd64 binary in systemd.
Testing act_runner in a separate VM.
Database
MySQL
The text was updated successfully, but these errors were encountered:
Description
Hi.
I already submitted it as https://gitea.com/gitea/act_runner/issues/167
But I want to duplicate it here because I think it's VERY important. The problem is:
Gitea act_runner is TERRIBLY INSECURE, it allows all job containers to:
This allows any job to escape from the container and easily get root privileges on the runner host. Jobs are basically untrusted code so they have to be isolated correctly.
Some ways of how you can escape the container using docker.sock include:
It may be rather OK for
act
itself because it's only a local testing tool, but for act_runner it's a real blocker.You should forbid bind mounts in job descriptions (named volumes are probably ok) and remove docker socket access. The latter will probably break docker-related steps, so for them you'll have to use DinD or newer tools like Kaniko or Buildah/Podman.
I like Gitea and I use it for a long time so probably I'll try to patch and test it on my server and submit a PR, but anyway, in the current state Gitea Actions SHOULD NOT be used in production.
Gitea Version
1.19.1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
No response
How are you running Gitea?
Official linux amd64 binary in systemd.
Testing act_runner in a separate VM.
Database
MySQL
The text was updated successfully, but these errors were encountered: