diff options
| author | Achilleas Pipinellis <axilleas@axilleas.me> | 2016-02-09 11:19:25 +0200 |
|---|---|---|
| committer | Achilleas Pipinellis <axilleas@axilleas.me> | 2016-02-09 11:35:19 +0200 |
| commit | 751ae140813e45e3a48b0e3ed7ab08c5461c5e51 (patch) | |
| tree | 370778d5aa85a75ee7f94035c446bbb0b5deac98 | |
| parent | 555b1a621a9a73e8cdead9888375a43a8e59f639 (diff) | |
| download | gitlab-ce-751ae140813e45e3a48b0e3ed7ab08c5461c5e51.tar.gz | |
Restrict permissions on public/uploads
| -rw-r--r-- | doc/install/installation.md | 7 | ||||
| -rw-r--r-- | lib/tasks/gitlab/check.rake | 13 |
2 files changed, 11 insertions, 9 deletions
diff --git a/doc/install/installation.md b/doc/install/installation.md index 3eb9b1767c5..0e569d34772 100644 --- a/doc/install/installation.md +++ b/doc/install/installation.md @@ -268,10 +268,11 @@ sudo usermod -aG redis git sudo chmod -R u+rwX tmp/sockets/ # Create the public/uploads/ directory - sudo -u git -H mkdir public/uploads/ + sudo -u git -H mkdir -m 0700 public/uploads/ - # Make sure GitLab can write to the public/uploads/ directory - sudo chmod -R u+rwX public/uploads + # Make sure only the GitLab user has access to the public/uploads/ directory + # now that files in public/uploads are served by gitlab-workhorse + sudo chmod -R go-rwX public/uploads # Change the permissions of the directory where CI build traces are stored sudo chmod -R u+rwX builds/ diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake index 2dc2953e328..d6e17821d41 100644 --- a/lib/tasks/gitlab/check.rake +++ b/lib/tasks/gitlab/check.rake @@ -285,7 +285,7 @@ namespace :gitlab do unless File.directory?(Rails.root.join('public/uploads')) puts "no".red try_fixing_it( - "sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads" + "sudo -u #{gitlab_user} mkdir -m 0700 #{Rails.root}/public/uploads" ) for_more_information( see_installation_guide_section "GitLab" @@ -297,21 +297,22 @@ namespace :gitlab do upload_path = File.realpath(Rails.root.join('public/uploads')) upload_path_tmp = File.join(upload_path, 'tmp') - if File.stat(upload_path).mode == 040750 + if File.stat(upload_path).mode == 040700 unless Dir.exists?(upload_path_tmp) puts 'skipped (no tmp uploads folder yet)'.magenta return end - # if tmp upload dir has incorrect permissions, assume others do as well - if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions + # If tmp upload dir has incorrect permissions, assume others do as well + # Verify drwx------ permissions + if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp) puts "yes".green else puts "no".red try_fixing_it( "sudo chown -R #{gitlab_user} #{upload_path}", "sudo find #{upload_path} -type f -exec chmod 0644 {} \\;", - "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;" + "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;" ) for_more_information( see_installation_guide_section "GitLab" @@ -321,7 +322,7 @@ namespace :gitlab do else puts "no".red try_fixing_it( - "sudo chmod 0750 #{upload_path}", + "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;" ) for_more_information( see_installation_guide_section "GitLab" |