I have hardening issues from security team and need to clarify these issues for them.
I would ask help and confirm. We can’t manually fix these issues because it’s Gitlab requirement and gitlab-ctl reconfigure will always change it back.
ksu file has SUID bit.
Who’s know what’s ksu file use for and why it’s need SUID?
What are these binary files? and Why it need execute permission?
3.In /etc/passwd/git was set /bin/sh it allow git user can logon via ssh.
I already tell them it’s standard function and alternative way to use git over ssh.
I disabled ssh function already but they ask me find someone confirm we can’t manually remove /bin/sh from /etc/passwd/git because gitlab-ctl will always fix it back.
- They scan .netrc and found all gitlab user sharing the same home directory.
Are they using the same home path because they are using the same common library?
git = /var/opt/gitlab
gitlab-www = /var/opt/gitlab/nginx
gitlab-psql = /var/opt/gitlab/postgresql
gitlab-prometheus = /var/opt/gitlab/prometheus
gitlab-redis = /var/opt/gitlab/redis
- Related to 4th topic. I got issue why home path was set permission with 750
I believe It’s because Gitlab set app path as home directory. So they need read and execute permission cross over between their Gitlab users.