Commit 751ae140 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Restrict permissions on public/uploads

parent 555b1a62
...@@ -268,10 +268,11 @@ sudo usermod -aG redis git ...@@ -268,10 +268,11 @@ sudo usermod -aG redis git
sudo chmod -R u+rwX tmp/sockets/ sudo chmod -R u+rwX tmp/sockets/
# Create the public/uploads/ directory # Create the public/uploads/ directory
sudo -u git -H mkdir public/uploads/ sudo -u git -H mkdir -m 0700 public/uploads/
# Make sure GitLab can write to the public/uploads/ directory # Make sure only the GitLab user has access to the public/uploads/ directory
sudo chmod -R u+rwX public/uploads # now that files in public/uploads are served by gitlab-workhorse
sudo chmod -R go-rwX public/uploads
# Change the permissions of the directory where CI build traces are stored # Change the permissions of the directory where CI build traces are stored
sudo chmod -R u+rwX builds/ sudo chmod -R u+rwX builds/
......
...@@ -285,7 +285,7 @@ namespace :gitlab do ...@@ -285,7 +285,7 @@ namespace :gitlab do
unless File.directory?(Rails.root.join('public/uploads')) unless File.directory?(Rails.root.join('public/uploads'))
puts "no".red puts "no".red
try_fixing_it( try_fixing_it(
"sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads" "sudo -u #{gitlab_user} mkdir -m 0700 #{Rails.root}/public/uploads"
) )
for_more_information( for_more_information(
see_installation_guide_section "GitLab" see_installation_guide_section "GitLab"
...@@ -297,21 +297,22 @@ namespace :gitlab do ...@@ -297,21 +297,22 @@ namespace :gitlab do
upload_path = File.realpath(Rails.root.join('public/uploads')) upload_path = File.realpath(Rails.root.join('public/uploads'))
upload_path_tmp = File.join(upload_path, 'tmp') upload_path_tmp = File.join(upload_path, 'tmp')
if File.stat(upload_path).mode == 040750 if File.stat(upload_path).mode == 040700
unless Dir.exists?(upload_path_tmp) unless Dir.exists?(upload_path_tmp)
puts 'skipped (no tmp uploads folder yet)'.magenta puts 'skipped (no tmp uploads folder yet)'.magenta
return return
end end
# if tmp upload dir has incorrect permissions, assume others do as well # If tmp upload dir has incorrect permissions, assume others do as well
if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions # Verify drwx------ permissions
if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp)
puts "yes".green puts "yes".green
else else
puts "no".red puts "no".red
try_fixing_it( try_fixing_it(
"sudo chown -R #{gitlab_user} #{upload_path}", "sudo chown -R #{gitlab_user} #{upload_path}",
"sudo find #{upload_path} -type f -exec chmod 0644 {} \\;", "sudo find #{upload_path} -type f -exec chmod 0644 {} \\;",
"sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;" "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
) )
for_more_information( for_more_information(
see_installation_guide_section "GitLab" see_installation_guide_section "GitLab"
...@@ -321,7 +322,7 @@ namespace :gitlab do ...@@ -321,7 +322,7 @@ namespace :gitlab do
else else
puts "no".red puts "no".red
try_fixing_it( try_fixing_it(
"sudo chmod 0750 #{upload_path}", "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
) )
for_more_information( for_more_information(
see_installation_guide_section "GitLab" see_installation_guide_section "GitLab"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment