default privileged plugins also are privileged when used as normal images #1525
Comments
|
similar to #1344 |
|
well if we can backport it we should determine on the implementation .. but it would be nice if it's able to |
|
There are use-cases where being able to use commands in privileged setups may be beneficial. The question is, if it would make sense to have 2 lists, one with privileged plugins and one privileged "no matter what" (i.e. adding privileged in certain repos as an admin...), potentially even on a woodpecker-server level as some may prefer their things to be privilaged, as they have full control over the instance (i.e. on a dev PC, isolated networks,...) In forgejo we are using a privileged container to run some tasks requiring it (though they could potentially be written into a plugin), so having an option to allow (at least on a repo level) additional privileged plugins and/or privileged "no matter what" would be great. |
|
well there is still a repo config that will allow to set that privileges so your usecase will work but for the default config Im better save than sory |
Absolutely, 100%, the question on my part was (I may have been a bit confusing in that reply), if there could / should be 2 settings on the repo 1 for privileged plugins and another one for "always" privileged (there may be enough trust to allow additional plugins, but not "always" privileged setups) Edit just to clarify our default is "" for escalateable images, so none at all globally, so being able to differentiate the 2 escalation / privileged levels would be great. |
6543
added
enhancement
Closes #1525 Co-authored-by: Anbraten <anton@ju60.de>
e.g.
woodpecker/shared/constant/constant.go
Lines 17 to 23 in f1e9c84
should only have privileged permissions in plugin usage ...
else you could use custom commands to escape jail
bounty 50$
The text was updated successfully, but these errors were encountered: