[DRE-commits] [gitlab] 03/05: restrict file permissions for secrets

[Praveen Arimbrathodiyil]

This is an automated email from the git hooks/post-receive script.

praveen pushed a commit to branch master
in repository gitlab.

commit 35848950c34a13c2e2a9b84792ed7408df6fac96
Author: Praveen Arimbrathodiyil <praveen at debian.org>
Date:   Tue Apr 5 12:37:43 2016 +0530

    restrict file permissions for secrets
---
 debian/changelog     | 1 +
 debian/rake-tasks.sh | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 21dc252..2ce03a1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ gitlab (8.5.8+dfsg-4) UNRELEASED; urgency=medium
   * Tighten version requirements for dependencies
   * Fix permissions for uploads
   * Run db:migrate when db exist
+  * Restrict file permissions for secret files (Closes: #819412)
 
  -- Pirate Praveen <praveen at debian.org>  Tue, 05 Apr 2016 11:38:52 +0530
 
diff --git a/debian/rake-tasks.sh b/debian/rake-tasks.sh
index 5077c8f..a9e15b3 100755
--- a/debian/rake-tasks.sh
+++ b/debian/rake-tasks.sh
@@ -14,8 +14,15 @@ if ! [ -f "${gitlab_app_root}/config/secrets.yml" ]; then
 
   cp ${gitlab_app_root}/config/secrets.yml.example ${gitlab_app_root}/config/secrets.yml
   sed -i "s/# db_key_base:/db_key_base: ${gitlab_app_secret}/" ${gitlab_app_root}/config/secrets.yml
-  echo ${gitlab_app_root} > ${gitlab_app_root}/.secret
+  echo ${gitlab_app_secret} > ${gitlab_app_root}/.secret
   }
+
+# Restrict permissions for secret files
+
+chmod 0700 ${gitlab_data_dir}/.secret
+chmod 0700 ${gitlab_data_dir}/.gitlab_shell_secret
+chmod 0700 ${gitlab_conf}/secrets.yml
+
 fi
 if [ "$(LANG=C su postgres -c "psql gitlab_production -c \"\d\"")" = \
 "No relations found." ]; then

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/gitlab.git