GitLab:防止新用户为自己分配管理员权限
GitLab: prevent new users from assigning admin privileges to themselves
我知道这看起来是个愚蠢的问题,但我刚刚发现,上个月,我的 GitLab 实例发生了一些可怕的事情:有人在没有我的邀请的情况下注册并成为管理员,因为我是只有管理员。所以他擦掉了里面的所有 and/or 私人项目,还有组(我什至不知道他是否在擦除之前偷走了所有这些项目,我很担心,因为它们是专有代码)。它怎么发生的? this 有什么关系吗,因为版本是 CE-13.3.0?如果是这样,升级版本是否足以更安全,或者我应该做一些特殊的配置,比如禁用注册页面?
最好按照“GitLab instance: security best practices”,确实包括:
Ensure open sign-up is disabled on your instance.
Open registration is disabled by default on self-managed instances with GitLab 13.6 and above installed.
If new sign-up is enabled and your instance is open to the internet, anyone can sign up and access data.
Administrators who would like to further restrict access on their instance can follow our documentation on how to configure user access.
关于提到的 CVE,也请遵循“Action needed by self-managed customers in response to CVE-2021-22205", in your case: "CVE-2021-22205: How to determine if a self-managed instance has been impacted”(除非日志事件也已被清除)。
我知道这看起来是个愚蠢的问题,但我刚刚发现,上个月,我的 GitLab 实例发生了一些可怕的事情:有人在没有我的邀请的情况下注册并成为管理员,因为我是只有管理员。所以他擦掉了里面的所有 and/or 私人项目,还有组(我什至不知道他是否在擦除之前偷走了所有这些项目,我很担心,因为它们是专有代码)。它怎么发生的? this 有什么关系吗,因为版本是 CE-13.3.0?如果是这样,升级版本是否足以更安全,或者我应该做一些特殊的配置,比如禁用注册页面?
最好按照“GitLab instance: security best practices”,确实包括:
Ensure open sign-up is disabled on your instance.
Open registration is disabled by default on self-managed instances with GitLab 13.6 and above installed.
If new sign-up is enabled and your instance is open to the internet, anyone can sign up and access data.Administrators who would like to further restrict access on their instance can follow our documentation on how to configure user access.
关于提到的 CVE,也请遵循“Action needed by self-managed customers in response to CVE-2021-22205", in your case: "CVE-2021-22205: How to determine if a self-managed instance has been impacted”(除非日志事件也已被清除)。