4 files changed, 17 insertions, 8 deletions

diff --git a/lib/backup/database.rb b/lib/backup/database.rb
index b8aa6b9ff2f..bbb230a10f0 100644
--- a/lib/backup/database.rb
+++ b/lib/backup/database.rb
@@ -7,7 +7,11 @@ module Backup
     def initialize
       @config = YAML.load_file(File.join(Rails.root,'config','database.yml'))[Rails.env]
       @db_dir = File.join(Gitlab.config.backup.path, 'db')
-      FileUtils.mkdir_p(@db_dir) unless Dir.exists?(@db_dir)
+      FileUtils.rm_rf(@db_dir)
+      # Ensure the parent dir of @db_dir exists
+      FileUtils.mkdir_p(Gitlab.config.backup.path)
+      # Fail if somebody raced to create @db_dir before us
+      FileUtils.mkdir(@db_dir, mode: 0700)
     end
 
     def dump
diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb
index 6fa2079d1a8..13c68d9354f 100644
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@@ -16,18 +16,16 @@ module Backup
           file << s.to_yaml.gsub(/^---\n/,'')
         end
 
-        FileUtils.chmod(0700, folders_to_backup)
-
         # create archive
         $progress.print "Creating backup archive: #{tar_file} ... "
-        orig_umask = File.umask(0077)
-        if Kernel.system('tar', '-cf', tar_file, *backup_contents)
+        # Set file permissions on open to prevent chmod races.
+        tar_system_options = {out: [tar_file, 'w', Gitlab.config.backup.archive_permissions]}
+        if Kernel.system('tar', '-cf', '-', *backup_contents, tar_system_options)
           $progress.puts "done".green
         else
           puts "creating archive #{tar_file} failed".red
           abort 'Backup failed'
         end
-        File.umask(orig_umask)
 
         upload(tar_file)
       end
diff --git a/lib/backup/repository.rb b/lib/backup/repository.rb
index dfb2da9f84e..4d70f7883dd 100644
--- a/lib/backup/repository.rb
+++ b/lib/backup/repository.rb
@@ -130,7 +130,10 @@ module Backup
 
     def prepare
       FileUtils.rm_rf(backup_repos_path)
-      FileUtils.mkdir_p(backup_repos_path)
+      # Ensure the parent dir of backup_repos_path exists
+      FileUtils.mkdir_p(Gitlab.config.backup.path)
+      # Fail if somebody raced to create backup_repos_path before us
+      FileUtils.mkdir(backup_repos_path, mode: 0700)
     end
 
     def silent
diff --git a/lib/backup/uploads.rb b/lib/backup/uploads.rb
index bf43610acf6..1f9626644e6 100644
--- a/lib/backup/uploads.rb
+++ b/lib/backup/uploads.rb
@@ -10,7 +10,11 @@ module Backup
 
     # Copy uploads from public/uploads to backup/uploads
     def dump
-      FileUtils.mkdir_p(backup_uploads_dir)
+      FileUtils.rm_rf(backup_uploads_dir)
+      # Ensure the parent dir of backup_uploads_dir exists
+      FileUtils.mkdir_p(Gitlab.config.backup.path)
+      # Fail if somebody raced to create backup_uploads_dir before us
+      FileUtils.mkdir(backup_uploads_dir, mode: 0700)
       FileUtils.cp_r(app_uploads_dir, backup_dir)
     end