exozyme/exozyme
7
12
Fork 0
Code Issues 4 Pull requests Projects Releases 39 Wiki Activity

Woodpecker security issues #98

New issue
Closed
opened 2022-01-20 02:45:35 +00:00 by a · 4 comments
a commented 2022-01-20 02:45:35 +00:00
Owner
Copy link

Currently, the woodpecker-agent user has write access to my deployed websites, but this is significant security issue. We could use environment variable secrets, but my PR only has very janky support for secrets.

Currently, the `woodpecker-agent` user has write access to my deployed websites, but this is significant security issue. We could use environment variable secrets, but my [PR only has very janky support for secrets](https://github.com/woodpecker-ci/woodpecker/pull/709#issuecomment-1017063016).
a added the
security
bug
 labels 2022-01-20 02:45:35 +00:00
a self-assigned this 2022-01-20 02:45:35 +00:00
a added this to the (deleted) project 2022-01-20 02:45:35 +00:00
a commented 2022-01-20 16:27:22 +00:00
Author
Owner
Copy link

Should be possible to do this with SSH keys but I'll also try to think of a way to improve the security of our current method, since it's much simpler than using environement variables and SSH keys.

Should be possible to do this with SSH keys but I'll also try to think of a way to improve the security of our current method, since it's much simpler than using environement variables and SSH keys.
a commented 2022-01-21 00:46:11 +00:00
Author
Owner
Copy link

Alright so I was able to get SSH keys to work: https://ci.exozy.me/Ta180m/website/build/17

However, I think it just opens up more security issues, so I'm going to keep things as is for now.

Alright so I was able to get SSH keys to work: https://ci.exozy.me/Ta180m/website/build/17 However, I think it just opens up more security issues, so I'm going to keep things as is for now.
a commented 2022-01-21 00:46:30 +00:00
Author
Owner
Copy link

We might also want to do some systemd security hardening for Woodpecker: https://www.freedesktop.org/software/systemd/man/systemd.exec.html

We might also want to do some systemd security hardening for Woodpecker: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
a commented 2022-01-22 17:10:15 +00:00
Author
Owner
Copy link

I disabled registration for Woodpecker since our setup with the bare-metal backend is inherently insecure.

I disabled registration for Woodpecker since our setup with the bare-metal backend is inherently insecure.
a added the
wontfix
 label 2022-01-22 17:12:43 +00:00
a closed this issue 2022-01-22 17:13:08 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v9.0
v8.8
v8.7
v8.6
v8.5
v8.4
v8.3
v8.2
v8.1
v8.0
v7.10
v7.9
v7.8
v7.7
v7.6
v7.5
v7.4
v7.3
v7.2
v7.1
v7.0
v6.1
v6.0
v5.1
v5.0
v4.2
v4.1
v4.0
v3.0
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.3
v1.2
v1.1
v1.0
v0.3-beta
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
security

Security vulnerability

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
a
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#98
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?