From 03b8dcce87c976a37a4de044e9f7cdfb8d64a3b7 Mon Sep 17 00:00:00 2001
From: Marin Jankovski <marin@gitlab.com>
Date: Wed, 2 Apr 2014 15:25:26 +0200
Subject: [PATCH] Change the satellites directory permission in the install
 guide, add to rake check task.

---
 CHANGELOG                   |  1 +
 doc/install/installation.md |  1 +
 lib/tasks/gitlab/check.rake | 24 ++++++++++++++++++++++++
 3 files changed, 26 insertions(+)

diff --git a/CHANGELOG b/CHANGELOG
index d936986a779..1b742a4d9b2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ v 6.8.0
   - Drop all tables before restoring a Postgres backup
   - Make the repository downloads path configurable
   - Create branches via API (sponsored by O'Reilly Media)
+  - Changed permission of gitlab-satellites directory not to be world accessible
 
 v 6.7.2
   - Fix upgrader script
diff --git a/doc/install/installation.md b/doc/install/installation.md
index addb21b50e0..efcba2f69bf 100644
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -202,6 +202,7 @@ You can change `6-6-stable` to `master` if you want the *bleeding edge* version,
 
     # Create directory for satellites
     sudo -u git -H mkdir /home/git/gitlab-satellites
+    sudo chmod o-rwx /home/git/gitlab-satellites
 
     # Create directories for sockets/pids and make sure GitLab can write to them
     sudo -u git -H mkdir tmp/pids/
diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake
index 3b9b2531bf7..e9258cc626b 100644
--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -342,6 +342,7 @@ namespace :gitlab do
       check_repo_base_is_not_symlink
       check_repo_base_user_and_group
       check_repo_base_permissions
+      check_satellites_permissions
       check_update_hook_is_up_to_date
       check_repos_update_hooks_is_link
       check_gitlab_shell_self_test
@@ -443,6 +444,29 @@ namespace :gitlab do
       end
     end
 
+    def check_satellites_permissions
+      print "Satellites access is drwxr-x---? ... "
+
+      satellites_path = Gitlab.config.satellites.path
+      unless File.exists?(satellites_path)
+        puts "can't check because of previous errors".magenta
+        return
+      end
+
+      if File.stat(satellites_path).mode.to_s(8).ends_with?("0750")
+        puts "yes".green
+      else
+        puts "no".red
+        try_fixing_it(
+          "sudo chmod u+rwx,g+rx,o-rwx #{satellites_path}",
+        )
+        for_more_information(
+          see_installation_guide_section "GitLab"
+        )
+        fix_and_rerun
+      end
+    end
+
     def check_repo_base_user_and_group
       gitlab_shell_ssh_user = Gitlab.config.gitlab_shell.ssh_user
       gitlab_shell_owner_group = Gitlab.config.gitlab_shell.owner_group