diff options
| author | Marin Jankovski <marin@gitlab.com> | 2016-02-23 15:12:20 +0000 |
|---|---|---|
| committer | Marin Jankovski <marin@gitlab.com> | 2016-02-23 15:12:20 +0000 |
| commit | f317d5fcb995e40c80946f92dcf37a394c2dffbc (patch) | |
| tree | 85781ca81906c5f1a020f64a9ad5bb995c258a2a | |
| parent | 6263a3ca3c66c06c7776c6f6e50bde17a6a60a33 (diff) | |
| parent | a1a6f3cc737e03a8649d7cb98c3ee089133e34d7 (diff) | |
| download | gitlab-ce-revert-53176717.tar.gz | |
Merge branch 'uploads-700' into 'master'
revert-53176717
Restrict permissions on public/uploads
Based on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/631
See merge request !2764
| -rw-r--r-- | doc/install/installation.md | 5 | ||||
| -rw-r--r-- | lib/tasks/gitlab/check.rake | 13 |
2 files changed, 10 insertions, 8 deletions
diff --git a/doc/install/installation.md b/doc/install/installation.md index 2a5b99609e4..c1787a7c6a8 100644 --- a/doc/install/installation.md +++ b/doc/install/installation.md @@ -265,8 +265,9 @@ sudo usermod -aG redis git # Create the public/uploads/ directory sudo -u git -H mkdir public/uploads/ - # Make sure GitLab can write to the public/uploads/ directory - sudo chmod -R u+rwX public/uploads + # Make sure only the GitLab user has access to the public/uploads/ directory + # now that files in public/uploads are served by gitlab-workhorse + sudo chmod 0700 public/uploads # Change the permissions of the directory where CI build traces are stored sudo chmod -R u+rwX builds/ diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake index 81099cb8ba9..d59872dc3a2 100644 --- a/lib/tasks/gitlab/check.rake +++ b/lib/tasks/gitlab/check.rake @@ -266,7 +266,7 @@ namespace :gitlab do unless File.directory?(Rails.root.join('public/uploads')) puts "no".red try_fixing_it( - "sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads" + "sudo -u #{gitlab_user} mkdir #{Rails.root}/public/uploads" ) for_more_information( see_installation_guide_section "GitLab" @@ -278,21 +278,22 @@ namespace :gitlab do upload_path = File.realpath(Rails.root.join('public/uploads')) upload_path_tmp = File.join(upload_path, 'tmp') - if File.stat(upload_path).mode == 040750 + if File.stat(upload_path).mode == 040700 unless Dir.exists?(upload_path_tmp) puts 'skipped (no tmp uploads folder yet)'.magenta return end - # if tmp upload dir has incorrect permissions, assume others do as well - if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions + # If tmp upload dir has incorrect permissions, assume others do as well + # Verify drwx------ permissions + if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp) puts "yes".green else puts "no".red try_fixing_it( "sudo chown -R #{gitlab_user} #{upload_path}", "sudo find #{upload_path} -type f -exec chmod 0644 {} \\;", - "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;" + "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;" ) for_more_information( see_installation_guide_section "GitLab" @@ -302,7 +303,7 @@ namespace :gitlab do else puts "no".red try_fixing_it( - "sudo chmod 0750 #{upload_path}", + "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;" ) for_more_information( see_installation_guide_section "GitLab" |