Restrict permissions on public/uploads

2016-02-09 11:19:25 +02:00 · 2016-02-09 11:19:25 +02:00 · 751ae14081
commit 751ae14081
parent 555b1a621a
2 changed files with 11 additions and 9 deletions
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@ -268,10 +268,11 @@ sudo usermod -aG redis git
    sudo chmod -R u+rwX tmp/sockets/

    # Create the public/uploads/ directory
-    sudo -u git -H mkdir public/uploads/
+    sudo -u git -H mkdir -m 0700 public/uploads/

-    # Make sure GitLab can write to the public/uploads/ directory
-    sudo chmod -R u+rwX  public/uploads
+    # Make sure only the GitLab user has access to the public/uploads/ directory
+    # now that files in public/uploads are served by gitlab-workhorse
+    sudo chmod -R go-rwX  public/uploads

    # Change the permissions of the directory where CI build traces are stored
    sudo chmod -R u+rwX builds/
--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@ -285,7 +285,7 @@ namespace :gitlab do
      unless File.directory?(Rails.root.join('public/uploads'))
        puts "no".red
        try_fixing_it(
-          "sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads"
+          "sudo -u #{gitlab_user} mkdir -m 0700 #{Rails.root}/public/uploads"
        )
        for_more_information(
          see_installation_guide_section "GitLab"
@ -297,21 +297,22 @@ namespace :gitlab do
      upload_path = File.realpath(Rails.root.join('public/uploads'))
      upload_path_tmp = File.join(upload_path, 'tmp')

-      if File.stat(upload_path).mode == 040750
+      if File.stat(upload_path).mode == 040700
        unless Dir.exists?(upload_path_tmp)
          puts 'skipped (no tmp uploads folder yet)'.magenta
          return
        end

-        # if tmp upload dir has incorrect permissions, assume others do as well
-        if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions
+        # If tmp upload dir has incorrect permissions, assume others do as well
+        # Verify drwx------ permissions
+        if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp)
          puts "yes".green
        else
          puts "no".red
          try_fixing_it(
            "sudo chown -R #{gitlab_user} #{upload_path}",
            "sudo find #{upload_path} -type f -exec chmod 0644 {} \\;",
-            "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;"
+            "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
          )
          for_more_information(
            see_installation_guide_section "GitLab"
@ -321,7 +322,7 @@ namespace :gitlab do
      else
        puts "no".red
        try_fixing_it(
-          "sudo chmod 0750 #{upload_path}",
+          "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
        )
        for_more_information(
          see_installation_guide_section "GitLab"