Merge branch 'uploads-700' into 'master'

Restrict permissions on public/uploads Based on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/631 See merge request !2764

Merge branch 'uploads-700' into 'master'
Restrict permissions on public/uploads Based on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/631 See merge request !2764
4f946f03 · Marin Jankovski · Rémy Coutable · 1f368f2b · 4f946f03 · 4f946f03
Commit 4f946f03 authored Feb 23, 2016 by Marin Jankovski Committed by Rémy Coutable Feb 23, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 8 deletions

CHANGELOG CHANGELOG +1 -0

doc/install/installation.md doc/install/installation.md +3 -2

lib/tasks/gitlab/check.rake lib/tasks/gitlab/check.rake +7 -6

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -7,6 +7,7 @@ v 8.5.1
  - Issues can now be dragged & dropped into empty milestone lists. This is also
    possible with MRs
  - Fix an issue where MRs weren't sortable
+  - Restrict permissions on public/uploads
 v 8.5.0
  - Fix duplicate "me" in tooltip of the "thumbsup" awards Emoji (Stan Hu)

--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -265,8 +265,9 @@ sudo usermod -aG redis git
    # Create the public/uploads/ directory
    sudo -u git -H mkdir public/uploads/
-    # Make sure GitLab can write to the public/uploads/ directory
+    # Make sure only the GitLab user has access to the public/uploads/ directory
-    sudo chmod -R u+rwX  public/uploads
+    # now that files in public/uploads are served by gitlab-workhorse
+    sudo chmod 0700 public/uploads
    # Change the permissions of the directory where CI build traces are stored
    sudo chmod -R u+rwX builds/

--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -266,7 +266,7 @@ namespace :gitlab do
      unless File.directory?(Rails.root.join('public/uploads'))
        puts "no".red
        try_fixing_it(
-          "sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads"
+          "sudo -u #{gitlab_user} mkdir #{Rails.root}/public/uploads"
        )
        for_more_information(
          see_installation_guide_section "GitLab"
@@ -278,21 +278,22 @@ namespace :gitlab do
      upload_path = File.realpath(Rails.root.join('public/uploads'))
      upload_path_tmp = File.join(upload_path, 'tmp')
-      if File.stat(upload_path).mode == 040750
+      if File.stat(upload_path).mode == 040700
        unless Dir.exists?(upload_path_tmp)
          puts 'skipped (no tmp uploads folder yet)'.magenta
          return
        end
-        # if tmp upload dir has incorrect permissions, assume others do as well
+        # If tmp upload dir has incorrect permissions, assume others do as well
-        if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions
+        # Verify drwx------ permissions
+        if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp)
          puts "yes".green
        else
          puts "no".red
          try_fixing_it(
            "sudo chown -R #{gitlab_user} #{upload_path}",
            "sudo find #{upload_path} -type f -exec chmod 0644 {} \\;",
-            "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;"
+            "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
          )
          for_more_information(
            see_installation_guide_section "GitLab"
@@ -302,7 +303,7 @@ namespace :gitlab do
      else
        puts "no".red
        try_fixing_it(
-          "sudo chmod 0750 #{upload_path}",
+          "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
        )
        for_more_information(
          see_installation_guide_section "GitLab"