feat(security): add config option process which allow config chroot and user

Author: fiftin

db_lib/AnsiblePlaybook.go

@@ -31,6 +31,8 @@ func (p AnsiblePlaybook) makeCmd(command string, args []string, environmentVars
 	cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir))
 	cmd.Env = append(cmd.Env, environmentVars...)
 
+	cmd.SysProcAttr = util.Config.GetSysProcAttr()
+
 	return cmd
 }
 

db_lib/ShellApp.go

@@ -49,6 +49,8 @@ func (t *ShellApp) makeCmd(command string, args []string, environmentVars []stri
 	cmd.Env = append(cmd.Env, fmt.Sprintf("PWD=%s", cmd.Dir))
 	cmd.Env = append(cmd.Env, environmentVars...)
 
+	cmd.SysProcAttr = util.Config.GetSysProcAttr()
+
 	return cmd
 }
 

db_lib/TerraformApp.go

@@ -78,6 +78,8 @@ func (t *TerraformApp) makeCmd(command string, args []string, environmentVars []
 		cmd.Env = append(cmd.Env, environmentVars...)
 	}
 
+	cmd.SysProcAttr = util.Config.GetSysProcAttr()
+
 	return cmd
 }
 

deployment/docker/runner/Dockerfile

@@ -36,15 +36,6 @@ RUN curl -O https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraf
     unzip terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip -d /tmp && \
     rm terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip
 
-#RUN if [ "$TARGETARCH" = "amd64" ]; then \
-#      export PULUMI_ARCH="x64"; \
-#    else \
-#      export PULUMI_ARCH="${TARGETARCH}"; \
-#    fi && \
-#    wget -O pulumi.tar.gz https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-v${PULUMI_VERSION}-linux-${PULUMI_ARCH}.tar.gz
-#RUN tar xf pulumi.tar.gz --strip-components=1 -C /usr/local/bin
-#RUN rm pulumi.tar.gz
-
 FROM alpine:3.21
 
 ARG TARGETARCH="amd64"

deployment/docker/server/Dockerfile

@@ -37,15 +37,6 @@ RUN curl -O https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraf
     unzip terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip -d /tmp && \
     rm terraform_${TERRAFORM_VERSION}_linux_${TARGETARCH}.zip
 
-#RUN if [ "$TARGETARCH" = "amd64" ]; then \
-#      export PULUMI_ARCH="x64"; \
-#    else \
-#      export PULUMI_ARCH="${TARGETARCH}"; \
-#    fi && \
-#    wget -O pulumi.tar.gz https://github.com/pulumi/pulumi/releases/download/v${PULUMI_VERSION}/pulumi-v${PULUMI_VERSION}-linux-${PULUMI_ARCH}.tar.gz
-#RUN tar xf pulumi.tar.gz --strip-components=1 -C /usr/local/bin
-#RUN rm pulumi.tar.gz
-
 FROM alpine:3.21
 
 ARG TARGETARCH="amd64"

util/config.go

@@ -13,12 +13,14 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"os/user"
 	"path"
 	"path/filepath"
 	"reflect"
 	"regexp"
 	"strconv"
 	"strings"
+	"syscall"
 
 	"github.com/google/go-github/github"
 	"github.com/gorilla/securecookie"
@@ -151,6 +153,11 @@ type ConfigLog struct {
 	Events *EventLogType `json:"events,omitempty"`
 }
 
+type ConfigProcess struct {
+	User   string `json:"user,omitempty" env:"SEMAPHORE_PROCESS_USER"`
+	Chroot string `json:"chroot,omitempty" env:"SEMAPHORE_PROCESS_CHROOT"`
+}
+
 // ConfigType mapping between Config and the json file that sets it
 type ConfigType struct {
 	MySQL    *DbConfig `json:"mysql,omitempty"`
@@ -252,6 +259,8 @@ type ConfigType struct {
 	ForwardedEnvVars []string `json:"forwarded_env_vars,omitempty" env:"SEMAPHORE_FORWARDED_ENV_VARS"`
 
 	Log *ConfigLog `json:"log,omitempty"`
+
+	Process *ConfigProcess `json:"process,omitempty"`
 }
 
 func NewConfigType() *ConfigType {
@@ -299,6 +308,35 @@ func ClearDir(dir string, preserveFiles bool, prefix string) error {
 	return nil
 }
 
+func (conf *ConfigType) GetSysProcAttr() (res *syscall.SysProcAttr) {
+
+	if conf.Process.Chroot != "" {
+		res = &syscall.SysProcAttr{}
+		res.Chroot = conf.Process.Chroot
+	}
+
+	if conf.Process.User != "" {
+		if res == nil {
+			res = &syscall.SysProcAttr{}
+		}
+
+		u, err := user.Lookup(conf.Process.User)
+		if err != nil {
+			return
+		}
+
+		uid, _ := strconv.Atoi(u.Uid)
+		gid, _ := strconv.Atoi(u.Gid)
+
+		res.Credential = &syscall.Credential{
+			Uid: uint32(uid),
+			Gid: uint32(gid),
+		}
+	}
+
+	return
+}
+
 func (conf *ConfigType) ClearTmpDir() error {
 	return ClearDir(conf.TmpPath, false, "")
 }