summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarin Jankovski <marin@gitlab.com>2016-02-23 15:12:20 +0000
committerMarin Jankovski <marin@gitlab.com>2016-02-23 15:12:20 +0000
commitf317d5fcb995e40c80946f92dcf37a394c2dffbc (patch)
tree85781ca81906c5f1a020f64a9ad5bb995c258a2a
parent6263a3ca3c66c06c7776c6f6e50bde17a6a60a33 (diff)
parenta1a6f3cc737e03a8649d7cb98c3ee089133e34d7 (diff)
downloadgitlab-ce-revert-53176717.tar.gz
Merge branch 'uploads-700' into 'master' revert-53176717
Restrict permissions on public/uploads Based on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/631 See merge request !2764
-rw-r--r--doc/install/installation.md5
-rw-r--r--lib/tasks/gitlab/check.rake13
2 files changed, 10 insertions, 8 deletions
diff --git a/doc/install/installation.md b/doc/install/installation.md
index 2a5b99609e4..c1787a7c6a8 100644
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -265,8 +265,9 @@ sudo usermod -aG redis git
# Create the public/uploads/ directory
sudo -u git -H mkdir public/uploads/
- # Make sure GitLab can write to the public/uploads/ directory
- sudo chmod -R u+rwX public/uploads
+ # Make sure only the GitLab user has access to the public/uploads/ directory
+ # now that files in public/uploads are served by gitlab-workhorse
+ sudo chmod 0700 public/uploads
# Change the permissions of the directory where CI build traces are stored
sudo chmod -R u+rwX builds/
diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake
index 81099cb8ba9..d59872dc3a2 100644
--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -266,7 +266,7 @@ namespace :gitlab do
unless File.directory?(Rails.root.join('public/uploads'))
puts "no".red
try_fixing_it(
- "sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads"
+ "sudo -u #{gitlab_user} mkdir #{Rails.root}/public/uploads"
)
for_more_information(
see_installation_guide_section "GitLab"
@@ -278,21 +278,22 @@ namespace :gitlab do
upload_path = File.realpath(Rails.root.join('public/uploads'))
upload_path_tmp = File.join(upload_path, 'tmp')
- if File.stat(upload_path).mode == 040750
+ if File.stat(upload_path).mode == 040700
unless Dir.exists?(upload_path_tmp)
puts 'skipped (no tmp uploads folder yet)'.magenta
return
end
- # if tmp upload dir has incorrect permissions, assume others do as well
- if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions
+ # If tmp upload dir has incorrect permissions, assume others do as well
+ # Verify drwx------ permissions
+ if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp)
puts "yes".green
else
puts "no".red
try_fixing_it(
"sudo chown -R #{gitlab_user} #{upload_path}",
"sudo find #{upload_path} -type f -exec chmod 0644 {} \\;",
- "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;"
+ "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
)
for_more_information(
see_installation_guide_section "GitLab"
@@ -302,7 +303,7 @@ namespace :gitlab do
else
puts "no".red
try_fixing_it(
- "sudo chmod 0750 #{upload_path}",
+ "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
)
for_more_information(
see_installation_guide_section "GitLab"