From 751ae140813e45e3a48b0e3ed7ab08c5461c5e51 Mon Sep 17 00:00:00 2001
From: Achilleas Pipinellis <axilleas@axilleas.me>
Date: Tue, 9 Feb 2016 11:19:25 +0200
Subject: [PATCH 1/2] Restrict permissions on public/uploads

---
 doc/install/installation.md |  7 ++++---
 lib/tasks/gitlab/check.rake | 13 +++++++------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/doc/install/installation.md b/doc/install/installation.md
index 3eb9b1767c5..0e569d34772 100644
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -268,10 +268,11 @@ sudo usermod -aG redis git
     sudo chmod -R u+rwX tmp/sockets/
 
     # Create the public/uploads/ directory
-    sudo -u git -H mkdir public/uploads/
+    sudo -u git -H mkdir -m 0700 public/uploads/
 
-    # Make sure GitLab can write to the public/uploads/ directory
-    sudo chmod -R u+rwX  public/uploads
+    # Make sure only the GitLab user has access to the public/uploads/ directory
+    # now that files in public/uploads are served by gitlab-workhorse
+    sudo chmod -R go-rwX  public/uploads
 
     # Change the permissions of the directory where CI build traces are stored
     sudo chmod -R u+rwX builds/
diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake
index 2dc2953e328..d6e17821d41 100644
--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -285,7 +285,7 @@ namespace :gitlab do
       unless File.directory?(Rails.root.join('public/uploads'))
         puts "no".red
         try_fixing_it(
-          "sudo -u #{gitlab_user} mkdir -m 750 #{Rails.root}/public/uploads"
+          "sudo -u #{gitlab_user} mkdir -m 0700 #{Rails.root}/public/uploads"
         )
         for_more_information(
           see_installation_guide_section "GitLab"
@@ -297,21 +297,22 @@ namespace :gitlab do
       upload_path = File.realpath(Rails.root.join('public/uploads'))
       upload_path_tmp = File.join(upload_path, 'tmp')
 
-      if File.stat(upload_path).mode == 040750
+      if File.stat(upload_path).mode == 040700
         unless Dir.exists?(upload_path_tmp)
           puts 'skipped (no tmp uploads folder yet)'.magenta
           return
         end
 
-        # if tmp upload dir has incorrect permissions, assume others do as well
-        if File.stat(upload_path_tmp).mode == 040755 && File.owned?(upload_path_tmp) # verify drwxr-xr-x permissions
+        # If tmp upload dir has incorrect permissions, assume others do as well
+        # Verify drwx------ permissions
+        if File.stat(upload_path_tmp).mode == 040700 && File.owned?(upload_path_tmp)
           puts "yes".green
         else
           puts "no".red
           try_fixing_it(
             "sudo chown -R #{gitlab_user} #{upload_path}",
             "sudo find #{upload_path} -type f -exec chmod 0644 {} \\;",
-            "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0755 {} \\;"
+            "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
           )
           for_more_information(
             see_installation_guide_section "GitLab"
@@ -321,7 +322,7 @@ namespace :gitlab do
       else
         puts "no".red
         try_fixing_it(
-          "sudo chmod 0750 #{upload_path}",
+          "sudo find #{upload_path} -type d -not -path #{upload_path} -exec chmod 0700 {} \\;"
         )
         for_more_information(
           see_installation_guide_section "GitLab"

From a1a6f3cc737e03a8649d7cb98c3ee089133e34d7 Mon Sep 17 00:00:00 2001
From: Achilleas Pipinellis <axilleas@axilleas.me>
Date: Wed, 10 Feb 2016 16:52:02 +0200
Subject: [PATCH 2/2] Simplify permissions creation

[ci skip]
---
 doc/install/installation.md | 4 ++--
 lib/tasks/gitlab/check.rake | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/doc/install/installation.md b/doc/install/installation.md
index 0e569d34772..6467a395732 100644
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -268,11 +268,11 @@ sudo usermod -aG redis git
     sudo chmod -R u+rwX tmp/sockets/
 
     # Create the public/uploads/ directory
-    sudo -u git -H mkdir -m 0700 public/uploads/
+    sudo -u git -H mkdir public/uploads/
 
     # Make sure only the GitLab user has access to the public/uploads/ directory
     # now that files in public/uploads are served by gitlab-workhorse
-    sudo chmod -R go-rwX  public/uploads
+    sudo chmod 0700 public/uploads
 
     # Change the permissions of the directory where CI build traces are stored
     sudo chmod -R u+rwX builds/
diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake
index d6e17821d41..69d04400d02 100644
--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -285,7 +285,7 @@ namespace :gitlab do
       unless File.directory?(Rails.root.join('public/uploads'))
         puts "no".red
         try_fixing_it(
-          "sudo -u #{gitlab_user} mkdir -m 0700 #{Rails.root}/public/uploads"
+          "sudo -u #{gitlab_user} mkdir #{Rails.root}/public/uploads"
         )
         for_more_information(
           see_installation_guide_section "GitLab"