diff options
| author | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-07-06 18:43:17 +0200 | 
|---|---|---|
| committer | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-07-06 18:43:17 +0200 | 
| commit | bb50b7fcd0161a7b9f0f87cb395e355a87a9dd17 (patch) | |
| tree | 51117e68ca045edf22012e79cd1efc99d3f0254f | |
| parent | 17446ff0c98e870f0500279983432e5115e060a4 (diff) | |
| download | gitlab-ce-bb50b7fcd0161a7b9f0f87cb395e355a87a9dd17.tar.gz | |
Allow custom backup archive permissions
This change helps system administrators who want to replicate
GitLab backup files without needing root permissions.
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | config/gitlab.yml.example | 1 | ||||
| -rw-r--r-- | config/initializers/1_settings.rb | 1 | ||||
| -rw-r--r-- | doc/raketasks/backup_restore.md | 17 | ||||
| -rw-r--r-- | lib/backup/manager.rb | 6 | 
5 files changed, 23 insertions, 3 deletions
| diff --git a/CHANGELOG b/CHANGELOG index d538bb42992..1c2155c0f9c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -37,6 +37,7 @@ v 7.13.0 (unreleased)    - Correctly show anonymous authorized applications under Profile > Applications.    - Query Optimization in MySQL.    - Allow users to be blocked and unblocked via the API +  - Allow custom backup archive permissions  v 7.12.2    - Correctly show anonymous authorized applications under Profile > Applications. diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index c32ac2042d0..542106e86dd 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -247,6 +247,7 @@ production: &base    ## Backup settings    backup:      path: "tmp/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/) +    # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)      # keep_time: 604800   # default: 0 (forever) (in seconds)      # upload:      #   # Fog storage connection settings, see http://fog.io/storage/ . diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 7b5d488f59e..bd76c918485 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -170,6 +170,7 @@ Settings.gitlab_shell['ssh_path_prefix'] ||= Settings.send(:build_gitlab_shell_s  Settings['backup'] ||= Settingslogic.new({})  Settings.backup['keep_time']  ||= 0  Settings.backup['path']         = File.expand_path(Settings.backup['path'] || "tmp/backups/", Rails.root) +Settings.backup['archive_permissions']          ||= 0600  Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil })  # Convert upload connection settings to use symbol keys, to make Fog happy  if Settings.backup['upload']['connection'] diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 39a13b14fba..4a2e2df357a 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -141,6 +141,23 @@ with the name of your bucket:  }  ``` +## Backup archive permissions + +The backup archives created by GitLab (123456_gitlab_backup.tar) will have owner/group git:git and 0600 permissions by default. +This is meant to avoid other system users reading GitLab's data. +If you need the backup archives to have different permissions you can use the 'archive_permissions' setting. + +``` +# In /etc/gitlab/gitlab.rb, for omnibus packages +gitlab_rails['backup_archive_permissions'] = 0644 # Makes the backup archives world-readable +``` + +``` +# In gitlab.yml, for installations from source: +  backup: +    archive_permissions: 0644 # Makes the backup archives world-readable +``` +  ## Storing configuration files  Please be informed that a backup does not store your configuration files. diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb index 6fa2079d1a8..5103b265ed4 100644 --- a/lib/backup/manager.rb +++ b/lib/backup/manager.rb @@ -20,14 +20,14 @@ module Backup          # create archive          $progress.print "Creating backup archive: #{tar_file} ... " -        orig_umask = File.umask(0077) -        if Kernel.system('tar', '-cf', tar_file, *backup_contents) +        # Set file permissions on open to prevent chmod races. +        tar_system_options = {out: [tar_file, 'w', Gitlab.config.backup.archive_permissions]} +        if Kernel.system('tar', '-cf', '-', *backup_contents, tar_system_options)            $progress.puts "done".green          else            puts "creating archive #{tar_file} failed".red            abort 'Backup failed'          end -        File.umask(orig_umask)          upload(tar_file)        end | 
