Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Self-hosted shell runner - pass configuration securely

moritz_matchory_com
moritz_matchory_com
Contributor
August 21, 2022

After the introduction of self-hosted shell runners, we immediately switched from the previous Docker runners to shell runners running inside Docker containers, so we can have a simple way to deploy to our Swarm cluster (by having the deployment image running inside it, with access to the Docker socket on the host). Essentially, we're just running a pipelines runner with access to the Docker swarm host.

What bugs me, however, is that the runner script requires secret credentials to be passed as command line parameters:

/runner/bin/start.sh \
  --accountUuid "$(cat /run/secrets/account_uuid)" \
  --runnerUuid "$(cat /run/secrets/runner_uuid)" \
  --OAuthClientId "$(cat /run/secrets/oauth_client_id)" \
  --OAuthClientSecret "$(cat /run/secrets/oauth_client_secret)" \
  --runtime linux-shell \
  --workingDirectory /build

By inspecting the current process list, the full prompt of the running process is exposed, thus displaying the secrets in plain text to any interested party:

moritz@whale-01 ~> sudo ps -aux | grep runner
root 1225126 79.0 1.5 2549580 60704 ? Sl 06:48 0:00 java -jar -Dbitbucket.pipelines.runner.account.uuid=<REDACTED> -Dbitbucket.pipelines.runner.repository.uuid= -Dbitbucket.pipelines.runner.uuid=<REDACTED> -Dbitbucket.pipelines.runner.oauth.client.id=<REDACTED> -Dbitbucket.pipelines.runner.oauth.client.secret=<REDACTED> -Dbitbucket.pipelines.runner.directory.working=/build -Dbitbucket.pipelines.runner.environment=PRODUCTION -Dbitbucket.pipelines.runner.runtime=linux-shell -Dbitbucket.pipelines.runner.docker.uri= -Dbitbucket.pipelines.runner.scheduled.state.update.initial.delay.seconds=0 -Dbitbucket.pipelines.runner.scheduled.state.update.period.seconds=30 -Dbitbucket.pipelines.runner.cleanup.previous.folders=false -Dfile.encoding=UTF-8 -Dsun.jnu.encoding=UTF-8 ./runner.jar

As there is no way to pass configuration via config files or environment variables, there is no way for me to protect the runner credentials from other processes or malicious employees.

@ Atlassian, can you please revise the way the runner script works?

Answer
Watch
Like Be the first to like this
487 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 2, 2022

Hi Moritz,

I reached out to our development team about your request.

Even if credentials are passed as environment variables or in a file, they will still be visible if you run sudo ps -aux | grep runner, and other users could still access the variables and files. This is not a problem that is solvable by us.

If you are concerned about security, you can configure the host to not allow other users onto the machine or restrict what users can see.

Kind regards,
Theodora

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.