[DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 28 04:30:51 UTC 2016
Hi Julian,
On Sun, Mar 27, 2016 at 07:04:27PM +0100, Julian Gilbey wrote:
> Hello,
>
> I'm reporting this directly rather than via the BTS as it may be a
> security hole.
>
> Somehow, part of the gitlab configuration process created a file
> called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
> /usr/share/gitlab-shell/.gitlab_shell_secret. I don't know its
> purpose, but I would assume that it is some form of secret key.
> However, the /var/lib/gitlab/.gitlab_shell_secret file is
> world-readable, which is not likely to be the desired file mode. 640
> would be - presumably - more appropriate.
>
> Other non-security bugs going to the BTS....
Since our gitlab package is not yet in a stable release, please report
this directly to the BTS. I think it's safe to do so in this case.
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160328/8119387b/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list