From 410b0bb217fea46d9d949e36b72be141b97c1fa3 Mon Sep 17 00:00:00 2001 From: mscherer Date: Thu, 7 Apr 2022 17:50:37 +0200 Subject: [PATCH] Add some warning regarding the local backend (#875) --- docs/docs/30-administration/22-backends/20-local.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/docs/30-administration/22-backends/20-local.md b/docs/docs/30-administration/22-backends/20-local.md index 101a9538f..51c5d287a 100644 --- a/docs/docs/30-administration/22-backends/20-local.md +++ b/docs/docs/30-administration/22-backends/20-local.md @@ -1 +1,11 @@ # Local backend + +The local backend will execute the pipelines on the local system without any isolation of any kind. + +Since the code run directly in the same context as the agent (same user, same filesystem), a malicious pipeline could +be used to access the agent configuration especially the `WOODPECKER_AGENT_SECRET` variable. + +It is recommended to use this backend only for private setup where the code and pipeline can be trusted. You shouldn't +use it for a public facing CI where anyone can submit code or add new repositories. + +The backend will use a random directory in $TMPDIR to store the clone code and execute commands.