My self-manage server has hardening issues

How to Use GitLab System Administration
#1

I have hardening issues from security team and need to clarify these issues for them.
I would ask help and confirm. We can’t manually fix these issues because it’s Gitlab requirement and gitlab-ctl reconfigure will always change it back.

  1. -rwsrxr-x /opt/gitlab/embedded/bin/ksu
    ksu file has SUID bit.
    Who’s know what’s ksu file use for and why it’s need SUID?

  2. What are these binary files? and Why it need execute permission?
    -rwxr----- /var/log/gitlab/redis/@400000006035cce809047e9c.s
    -rwxr----- /var/log/gitlab/…/@XXXXXXXXXXXXXX.s

3.In /etc/passwd/git was set /bin/sh it allow git user can logon via ssh.
I already tell them it’s standard function and alternative way to use git over ssh.
I disabled ssh function already but they ask me find someone confirm we can’t manually remove /bin/sh from /etc/passwd/git because gitlab-ctl will always fix it back.

  1. They scan .netrc and found all gitlab user sharing the same home directory.
    Are they using the same home path because they are using the same common library?

git = /var/opt/gitlab
gitlab-www = /var/opt/gitlab/nginx
gitlab-psql = /var/opt/gitlab/postgresql
gitlab-prometheus = /var/opt/gitlab/prometheus
gitlab-redis = /var/opt/gitlab/redis

  1. Related to 4th topic. I got issue why home path was set permission with 750
    I believe It’s because Gitlab set app path as home directory. So they need read and execute permission cross over between their Gitlab users.

drwxr-xr-x /var/opt/gitlab/
drwxr-xr-x /var/opt/gitlab/postgresql

#2

  1. KSU - Kerberized SU. ksu(1): Kerberized super-user - Linux man page

  2. Since SSH is functionality of gitlab for commits, then shell access is required. Therefore chances of the shell being reset on upgrades is possible and normal. I suggest you restrict in other ways, for example, edit /etc/ssh/sshd_config and set:

AllowUsers user1 user2 user3

if git is not on the list then it cannot connect. You can also restrict access to SSH by using iptables on the server and only allow IP’s to connect over SSH that need to administer the system - but you can still restrict the exact users via sshd_config.

  1. The home directories are not the same. Git user has /var/opt/gitlab, nginx a subdirectory within here. This is because they need to have a home directory for the web part of gitlab (nginx), database (postgres).

  2. Directories by default on Linux when created have permissions 755. As far as I am aware it’s not recommended to remove the execute bit from a directory. There isn’t anything to execute anyway. Default file attributes are 644. I would more worry about execute bit being set on files.

1 Like