diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 10:34:06 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 10:34:06 +0000 |
commit | 859a6fb938bb9ee2a317c46dfa4fcc1af49608f0 (patch) | |
tree | d7f2700abe6b4ffcb2dcfc80631b2d87d0609239 /doc/security | |
parent | 446d496a6d000c73a304be52587cd9bbc7493136 (diff) | |
download | gitlab-ce-859a6fb938bb9ee2a317c46dfa4fcc1af49608f0.tar.gz |
Add latest changes from gitlab-org/gitlab@13-9-stable-eev13.9.0-rc42
Diffstat (limited to 'doc/security')
-rw-r--r-- | doc/security/README.md | 2 | ||||
-rw-r--r-- | doc/security/asset_proxy.md | 3 | ||||
-rw-r--r-- | doc/security/cicd_environment_variables.md | 13 | ||||
-rw-r--r-- | doc/security/cicd_variables.md | 13 | ||||
-rw-r--r-- | doc/security/crime_vulnerability.md | 2 | ||||
-rw-r--r-- | doc/security/password_storage.md | 2 | ||||
-rw-r--r-- | doc/security/rate_limits.md | 13 | ||||
-rw-r--r-- | doc/security/reset_user_password.md | 93 | ||||
-rw-r--r-- | doc/security/two_factor_authentication.md | 8 | ||||
-rw-r--r-- | doc/security/unlock_user.md | 2 |
10 files changed, 95 insertions, 56 deletions
diff --git a/doc/security/README.md b/doc/security/README.md index 3b64d0229ed..b009fe5c8da 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -23,7 +23,7 @@ type: index - [Send email confirmation on sign-up](user_email_confirmation.md) - [Security of running jobs](https://docs.gitlab.com/runner/security/) - [Proxying images](asset_proxy.md) -- [CI/CD environment variables](cicd_environment_variables.md) +- [CI/CD variables](cicd_variables.md) ## Securing your GitLab installation diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md index 613743143d3..7774f5e0635 100644 --- a/doc/security/asset_proxy.md +++ b/doc/security/asset_proxy.md @@ -51,7 +51,8 @@ To install a Camo server as an asset proxy: | `asset_proxy_enabled` | Enable proxying of assets. If enabled, requires: `asset_proxy_url`). | | `asset_proxy_secret_key` | Shared secret with the asset proxy server. | | `asset_proxy_url` | URL of the asset proxy server. | - | `asset_proxy_whitelist` | Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically whitelisted. | + | `asset_proxy_whitelist` | (Deprecated: Use `asset_proxy_allowlist` instead) Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. | + | `asset_proxy_allowlist` | Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. | 1. Restart the server for the changes to take effect. Each time you change any values for the asset proxy, you need to restart the server. diff --git a/doc/security/cicd_environment_variables.md b/doc/security/cicd_environment_variables.md index 4d60df8e531..7de2e17c0f9 100644 --- a/doc/security/cicd_environment_variables.md +++ b/doc/security/cicd_environment_variables.md @@ -1,13 +1,8 @@ --- -stage: Release -group: Release -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +redirect_to: 'cicd_variables.md' --- -# CI/CD Environment Variables +This document was moved to [another location](cicd_variables.md). -Environment variables are applied to environments via the runner and can be set from the project's **Settings > CI/CD** page. - -The values are encrypted using [aes-256-cbc](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) and stored in the database. - -This data can only be decrypted with a valid [secrets file](../raketasks/backup_restore.md#when-the-secrets-file-is-lost). +<!-- This redirect file can be deleted after 2021-05-15. --> +<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page --> diff --git a/doc/security/cicd_variables.md b/doc/security/cicd_variables.md new file mode 100644 index 00000000000..4ef8129da2a --- /dev/null +++ b/doc/security/cicd_variables.md @@ -0,0 +1,13 @@ +--- +stage: Secure +group: None +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +--- + +# CI/CD Variables + +CI/CD variables are applied to environments via the runner and can be set from the project's **Settings > CI/CD** page. + +The values are encrypted using [`aes-256-cbc`](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) and stored in the database. + +This data can only be decrypted with a valid [secrets file](../raketasks/backup_restore.md#when-the-secrets-file-is-lost). diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index c5f8afe36ad..9a43f5dfca8 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -58,7 +58,7 @@ vulnerability. ## References -- NGINX ["Module ngx_http_spdy_module"](http://nginx.org/en/docs/http/ngx_http_spdy_module.html) +- NGINX ["Module `ngx_http_spdy_module`"](http://nginx.org/en/docs/http/ngx_http_spdy_module.html) - Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"](https://www.tenable.com/plugins/index.php?view=single&id=62565) - Wikipedia contributors, ["CRIME"](https://en.wikipedia.org/wiki/CRIME) Wikipedia, The Free Encyclopedia diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index ca39defe6b9..af4b57e342a 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -11,6 +11,6 @@ GitLab stores user passwords in a hashed format, to prevent passwords from being GitLab uses the [Devise](https://github.com/heartcombo/devise) authentication library, which handles the hashing of user passwords. Password hashes are created with the following attributes: -- **Hashing**: the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function. +- **Hashing**: the [`bcrypt`](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function. - **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a stretching factor of 10 by default. - **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt, to further increase security. diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index 500ec057102..1609607ea5c 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -25,11 +25,14 @@ similarly mitigated by a rate limit. ## Admin Area settings -- [Issues rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md). -- [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md). -- [Raw endpoints rate limits](../user/admin_area/settings/rate_limits_on_raw_endpoints.md). -- [Protected paths](../user/admin_area/settings/protected_paths.md). -- [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md). +These are rate limits you can set in the Admin Area of your instance: + +- [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md) +- [Issues rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md) +- [Notes rate limits](../user/admin_area/settings/rate_limit_on_notes_creation.md) +- [Protected paths](../user/admin_area/settings/protected_paths.md) +- [Raw endpoints rate limits](../user/admin_area/settings/rate_limits_on_raw_endpoints.md) +- [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md) ## Non-configurable limits diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md index fc808452736..ed7b9f89616 100644 --- a/doc/security/reset_user_password.md +++ b/doc/security/reset_user_password.md @@ -7,70 +7,91 @@ type: howto # How to reset user password -To reset the password of a user, first log into your server with root privileges. +There are a few ways to reset the password of a user. -Start a Ruby on Rails console with this command: +## Rake Task + +GitLab provides a Rake Task to reset passwords of users using their usernames, +which can be invoked by the following command: ```shell -gitlab-rails console -e production +sudo gitlab-rake "gitlab:password:reset" ``` -Wait until the console has loaded. - -## Find the user +You will be asked for username, password, and password confirmation. Upon giving +proper values for them, the password of the specified user will be updated. -There are multiple ways to find your user. You can search by email or user ID number. +The Rake task also takes the username as an argument, as shown in the example +below: ```shell -user = User.where(id: 7).first +sudo gitlab-rake "gitlab:password:reset[johndoe]" ``` -or +NOTE: +To reset the default admin password, run this Rake task with the username +`root`, which is the default username of that admin account. -```shell -user = User.find_by(email: 'user@example.com') -``` +## Rails console -## Reset the password +The Rake task is capable of finding users via their usernames. However, if only +user ID or email ID of the user is known, Rails console can be used to find user +using user ID and then change password of the user manually. -Now you can change your password: +1. Start a Rails console -```shell -user.password = 'secret_pass' -user.password_confirmation = 'secret_pass' -``` + ```shell + sudo gitlab-rails console -e production + ``` -It's important that you change both password and password_confirmation to make it work. +1. Find the user either by user ID or email ID: -When using this method instead of the [Users API](../api/users.md#user-modification), GitLab sends an email to the user stating that the user changed their password. + ```ruby + user = User.find(123) -If the password was changed by an administrator, execute the following command to notify the user by email: + #or -```shell -user.send_only_admin_changed_your_password_notification! -``` + user = User.find_by(email: 'user@example.com') + ``` -Don't forget to save the changes. +1. Reset the password -```shell -user.save! -``` + ```ruby + user.password = 'secret_pass' + user.password_confirmation = 'secret_pass' + ``` + +1. When using this method instead of the [Users API](../api/users.md#user-modification), + GitLab sends an email to the user stating that the user changed their + password. If the password was changed by an administrator, execute the + following command to notify the user by email: + + ```ruby + user.send_only_admin_changed_your_password_notification! + ``` -Exit the console, and then try to sign in with your new password. +1. Save the changes: + + ```ruby + user.save! + ``` + +1. Exit the console, and then try to sign in with your new password. NOTE: You can also reset passwords by using the [Users API](../api/users.md#user-modification). -### Reset your root password +## Reset your root password -The previously described steps can also be used to reset the root password. First, -identify the root user, with an `id` of `1`. To do so, run the following command: +The previously described steps can also be used to reset the root password. -```shell -user = User.where(id: 1).first -``` +In normal installations where the username of root account hasn't been changed +manually, the Rake task can be used with username `root` to reset the root +password. -After finding the user, follow the steps mentioned in the [Reset the password](#reset-the-password) section to reset the password of the root user. +If the username was changed to something else and has been forgotten, one +possible way is to reset the password using Rails console with user ID `1` (in +almost all the cases, the first user will be the default admin account). <!-- ## Troubleshooting diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index 4911cf63489..7a9ed9d435d 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -110,9 +110,10 @@ Each scenario can be a third-level heading, e.g. `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> -## Two-factor Authentication (2FA) for Git over SSH operations +## Two-factor Authentication (2FA) for Git over SSH operations **(PREMIUM)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/270554) in GitLab 13.7. +> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/299088) from GitLab Free to GitLab Premium in 13.9. > - It's [deployed behind a feature flag](../user/feature_flags.md), disabled by default. > - It's disabled on GitLab.com. > - It's not recommended for production use. @@ -149,3 +150,8 @@ To disable it: ```ruby Feature.disable(:two_factor_for_cli) ``` + +The feature flag affects these features: + +- [Two-factor Authentication (2FA) for Git over SSH operations](#two-factor-authentication-2fa-for-git-over-ssh-operations). +- [Customize session duration for Git Operations when 2FA is enabled](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled). diff --git a/doc/security/unlock_user.md b/doc/security/unlock_user.md index 2a26b71071b..45da283f33e 100644 --- a/doc/security/unlock_user.md +++ b/doc/security/unlock_user.md @@ -40,7 +40,7 @@ To unlock a locked user: user.unlock_access! ``` -1. Exit the console with <kbd>Ctrl</kbd>+<kbd>d</kbd> +1. Exit the console with <kbd>Control</kbd>+<kbd>d</kbd> The user should now be able to log in. |