[DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file

Julian Gilbey jdg at debian.org
Sun Mar 27 18:04:27 UTC 2016


Hello,

I'm reporting this directly rather than via the BTS as it may be a
security hole.

Somehow, part of the gitlab configuration process created a file
called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
/usr/share/gitlab-shell/.gitlab_shell_secret.  I don't know its
purpose, but I would assume that it is some form of secret key.
However, the /var/lib/gitlab/.gitlab_shell_secret file is
world-readable, which is not likely to be the desired file mode.  640
would be - presumably - more appropriate.

Other non-security bugs going to the BTS....

Best wishes,

   Julian



More information about the Pkg-ruby-extras-maintainers mailing list