Commit 4f946f03 authored by Marin Jankovski's avatar Marin Jankovski Committed by Rémy Coutable

Merge branch 'uploads-700' into 'master'

Restrict permissions on public/uploads

Based on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/631

See merge request !2764
parent 1f368f2b
...@@ -7,6 +7,7 @@ v 8.5.1 ...@@ -7,6 +7,7 @@ v 8.5.1
- Issues can now be dragged & dropped into empty milestone lists. This is also - Issues can now be dragged & dropped into empty milestone lists. This is also
possible with MRs possible with MRs
- Fix an issue where MRs weren't sortable - Fix an issue where MRs weren't sortable
- Restrict permissions on public/uploads
v 8.5.0 v 8.5.0
- Fix duplicate "me" in tooltip of the "thumbsup" awards Emoji (Stan Hu) - Fix duplicate "me" in tooltip of the "thumbsup" awards Emoji (Stan Hu)
......
...@@ -265,8 +265,9 @@ sudo usermod -aG redis git ...@@ -265,8 +265,9 @@ sudo usermod -aG redis git
# Create the public/uploads/ directory # Create the public/uploads/ directory
sudo -u git -H mkdir public/uploads/ sudo -u git -H mkdir public/uploads/
# Make sure GitLab can write to the public/uploads/ directory # Make sure only the GitLab user has access to the public/uploads/ directory
sudo chmod -R u+rwX public/uploads # now that files in public/uploads are served by gitlab-workhorse
sudo chmod 0700 public/uploads
# Change the permissions of the directory where CI build traces are stored # Change the permissions of the directory where CI build traces are stored
sudo chmod -R u+rwX builds/ sudo chmod -R u+rwX builds/
......
...@@ -266,7 +266,7 @@ namespace :gitlab do ...@@ -266,7 +266,7 @@ namespace :gitlab do
unless File.directory?(Rails.root.join('public/uploads')) unless File.directory?(Rails.root.join('public/uploads'))
puts "no".red puts "no".red
try_fixing_it( try_fixing_it(
"sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads" "sudo -u #{gitlab_user} mkdir #{Rails.root}/public/uploads"
) )
for_more_information( for_more_information(
see_installation_guide_section "GitLab" see_installation_guide_section "GitLab"
...@@ -278,21 +278,22 @@ namespace :gitlab do ...@@ -278,21 +278,22 @@ namespace :gitlab do
upload_path = File.realpath(Rails.root.join('public/uploads')) upload_path = File.realpath(Rails.root.join('public/uploads'))
upload_path_tmp = File.join(upload_path, 'tmp') upload_path_tmp = File.join(upload_path, 'tmp')
if File.stat(upload_path).mode == 040750 if File.stat(upload_path).mode == 040700
unless Dir.exists?(upload_path_tmp) unless Dir.exists?(upload_path_tmp)
puts 'skipped (no tmp uploads folder yet)'.magenta puts 'skipped (no tmp uploads folder yet)'.magenta
return return
end end
# if tmp upload dir has incorrect permissions, assume others do as well # If tmp upload dir has incorrect permissions, assume others do as well
if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions # Verify drwx------ permissions
if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp)
puts "yes".green puts "yes".green
else else
puts "no".red puts "no".red
try_fixing_it( try_fixing_it(
"sudo chown -R #{gitlab_user} #{upload_path}", "sudo chown -R #{gitlab_user} #{upload_path}",
"sudo find #{upload_path} -type f -exec chmod 0644 {} \\;", "sudo find #{upload_path} -type f -exec chmod 0644 {} \\;",
"sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;" "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
) )
for_more_information( for_more_information(
see_installation_guide_section "GitLab" see_installation_guide_section "GitLab"
...@@ -302,7 +303,7 @@ namespace :gitlab do ...@@ -302,7 +303,7 @@ namespace :gitlab do
else else
puts "no".red puts "no".red
try_fixing_it( try_fixing_it(
"sudo chmod 0750 #{upload_path}", "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
) )
for_more_information( for_more_information(
see_installation_guide_section "GitLab" see_installation_guide_section "GitLab"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment