[DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file
Julian Gilbey
jdg at debian.org
Sun Mar 27 18:04:27 UTC 2016
Hello,
I'm reporting this directly rather than via the BTS as it may be a
security hole.
Somehow, part of the gitlab configuration process created a file
called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
/usr/share/gitlab-shell/.gitlab_shell_secret. I don't know its
purpose, but I would assume that it is some form of secret key.
However, the /var/lib/gitlab/.gitlab_shell_secret file is
world-readable, which is not likely to be the desired file mode. 640
would be - presumably - more appropriate.
Other non-security bugs going to the BTS....
Best wishes,
Julian
More information about the Pkg-ruby-extras-maintainers
mailing list