[DRE-maint] Bug#814476: closed by Pirate Praveen <praveen at debian.org> (Bug#814476: fixed in gitlab 8.4.3+dfsg-4)

Pirate Praveen praveen at autistici.org
Mon Feb 15 07:34:02 UTC 2016 

On Sun, 14 Feb 2016 16:02:03 +0100 Johannes Schauer <josch at debian.org>
wrote:
> Control: found -1 8.4.3+dfsg-6
> 
> Hi,
> 
> Quoting Debian Bug Tracking System (2016-02-13 18:24:16)
> > This is an automatic notification regarding your Bug report
> > which was filed against the gitlab package:
> > 
> > #814476: gitlab writes into /usr/share/gitlab during operation
> > 
> > It has been closed by Pirate Praveen <praveen at debian.org>.
> 
> sorry but this bug is still not fixed.
>
> As you can read in my initial report, this bug is about violation of Debian
> policy §9.1.1 and gitlab is still writing files into /usr/share/gitlab during
> operation or stores host-specific configuration in /usr/share/gitlab. Let me
> quote chapter 4 of the FHS again:
> 
> "/usr is the second major section of the filesystem. /usr is shareable,
> read-only data. That means that /usr should be shareable between various
> FHS-compliant hosts and must not be written to. Any information that is
> host-specific or varies with time is stored elsewhere."
> 
> Since you seem to have thought that only the log files were a problem, here are
> some more offenders:

Thanks for digging deeper.

>  - /usr/share/gitlab/.ssh/authorized_keys
>  - /usr/share/gitlab/.secret

yes, I should move those too.

>  - /usr/share/gitlab/config/database.yml
>  - /usr/share/gitlab/config/gitlab.yml
>  - /usr/share/gitlab/config/resque.yml

There are symbolic links to /etc,
~$ ls -l /usr/share/gitlab/config/*.yml
lrwxrwxrwx 1 gitlab gitlab   24 Feb 13 23:54
/usr/share/gitlab/config/database.yml -> /etc/gitlab/database.yml
-rw-r--r-- 1 gitlab gitlab 1817 Jan 14 18:14
/usr/share/gitlab/config/gitlab.teatro.yml
lrwxrwxrwx 1 gitlab gitlab   22 Feb 13 23:54
/usr/share/gitlab/config/gitlab.yml -> /etc/gitlab/gitlab.yml
-rw-r--r-- 1 gitlab gitlab  997 Jan 14 18:14
/usr/share/gitlab/config/mail_room.yml
-rw-r--r-- 1 gitlab gitlab  298 Jan 14 18:14
/usr/share/gitlab/config/newrelic.yml
lrwxrwxrwx 1 gitlab gitlab   22 Feb 13 23:54
/usr/share/gitlab/config/resque.yml -> /etc/gitlab/resque.yml
-rw------- 1 gitlab gitlab  160 Feb  4 15:53
/usr/share/gitlab/config/secrets.yml


>  - /usr/share/gitlab/config/secrets.yml

This and remaining yml files should be moved to /etc as well.

>  - /usr/share/gitlab/config/unicorn.rb

$ ls -l /usr/share/gitlab/config/unicorn.rb
lrwxrwxrwx 1 gitlab gitlab 22 Feb 13 23:54
/usr/share/gitlab/config/unicorn.rb -> /etc/gitlab/unicorn.rb

>  - /usr/share/gitlab/Gemfile.lock

>  - /usr/share/gitlab/.gitconfig
>  - /usr/share/gitlab/.gitlab_shell_secret
>  - /usr/share/gitlab/information_schema
>  - /usr/share/gitlab/public/uploads
>  - /usr/share/gitlab/.secret
>  - /usr/share/gitlab/shared/cache/archive/
>  - /usr/share/gitlab/.ssh
> 
> A possible offender might be /usr/share/gitlab/public/assets/. I do not know
> whether this content is host and/or configuration specific or not.
> 
> I think one big problem is, that you set the home directory of the gitlab user
> to /usr/share/gitlab. But user's home directories are definitely host-specific
> and thus it would violate the FHS to store them in /usr. Also, it can be
> usually expected that one has write access to the home directory but according
> to the FHS, /usr might be mounted read-only during operation. So maybe you
> should move the home directory to something host specific like something in
> /var.

yes, I think it should be moved to /var, I need to think how best to
organize all of it then.

> The second problem is, that there are still lots of configuration files in
> /usr/share/gitlab. But configurations are host-specific and should be in /etc
> or also in /var in certain cases.

They are symlink to /etc.

> Lastly, there seem to be upload and cache directories in /usr/share/gitlab
> which definitely mustn't be there, like /usr/share/gitlab/public/uploads or

uploads is also a symlink, will move cache also to /var
$ ls -l /usr/share/gitlab/public/uploads
lrwxrwxrwx 1 gitlab gitlab 23 Feb 13 13:24
/usr/share/gitlab/public/uploads -> /var/lib/gitlab/uploads

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160215/808bc09d/attachment-0001.sig>

More information about the Pkg-ruby-extras-maintainers mailing list