Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Gitlab Gitlab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 14
    • Issues 14
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • External wiki
    • External wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • TPA
  • GitlabGitlab
  • Issues
  • #127
Closed
Open
Created Jun 29, 2022 by anarcat@anarcatOwner8 of 8 tasks completed8/8 tasks

cleanup LDAP vs manual UNIX groups in GitLab

we have a bunch of users and groups in LDAP for gitlab-02:

allowedGroups: dip
allowedGroups: git
allowedGroups: gitlab-consul
allowedGroups: gitlab-redis
allowedGroups: gitlab-www
allowedGroups: registry

of those, i think only git is used, but only by name. indeed, in LDAP the git UID is 1504 while on gitlab-02 it is:

root@gitlab-02:~# id git
uid=995(git) gid=2149(git) groups=2149(git)

ouch.

similarly, we have the gitlab-psql user in operation on gitlab-02, yet it's not in LDAP:

root@gitlab-02:~# id gitlab-psql
uid=993(gitlab-psql) gid=2145(gitlab-psql) groups=2145(gitlab-psql)

those are the processes actually running right now with anything ressembling a git username:

root@gitlab-02:~# ls -dal /proc/*/ | grep git | sort | sed 's/Jun.*//' | sort -u
dr-xr-xr-x  9 git          git          0 
dr-xr-xr-x  9 gitlab-psql  git          0 
dr-xr-xr-x  9 gitlab-psql  gitlab-psql  0 
dr-xr-xr-x  9 gitlab-redis git          0 
dr-xr-xr-x  9 gitlab-redis gitlab-redis 0 

numerically, here are all the UIDs in use on gitlab-02 right now:

root@gitlab-02:~# ls -alnd /proc/*/ | grep -v '0    0 0' | sed 's/Jun.*//' | sort -u
dr-xr-xr-x  9   1    1 0 
dr-xr-xr-x  9  33   33 0 
dr-xr-xr-x  9 104  105 0 
dr-xr-xr-x  9 107  113 0 
dr-xr-xr-x  9 108  114 0 
dr-xr-xr-x  9 109  115 0 
dr-xr-xr-x  9 110  117 0 
dr-xr-xr-x  9 112  120 0 
dr-xr-xr-x  9 113    0 0 
dr-xr-xr-x  9 114  122 0 
dr-xr-xr-x  9 119  127 0 
dr-xr-xr-x  9 120  128 0 
dr-xr-xr-x  9 993 2145 0 
dr-xr-xr-x  9 993 2149 0 
dr-xr-xr-x  9 994 2144 0 
dr-xr-xr-x  9 994 2149 0 
dr-xr-xr-x  9 995 2149 0 
dr-xr-xr-x  9 997  997 0 
dr-xr-xr-x  9 998  998 0 

so i don't think any of the LDAP users or groups are in use here, but I could be mistaken. In any case, this should be cleaned up. at the very least the dip user should be removed altogether.

so here are the groups to check, and in there, each user that's a member should be checked as well:

  • allowedGroups: dip
  • allowedGroups: git
  • allowedGroups: gitlab-consul
  • allowedGroups: gitlab-redis
  • allowedGroups: gitlab-www
  • allowedGroups: registry

for each of those:

  1. check that the group is not in use on gitlab-02
  2. check that all users part of that group are not in use
  3. check that no file is owned by the user or group
  4. delete the user and group in LDAP

also do this:

  • check for unowned files on the server: find / /var/opt /srv/gitlab-backup/ /srv/gitlab-shared/ -xdev -nouser -o -nogroup
  • reboot the server to make sure everything works
Edited Jul 22, 2022 by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking