[DRE-maint] Bug#819412: gitlab: creates world-readable secrets file
Julian Gilbey
jdg at debian.org
Mon Mar 28 07:32:59 UTC 2016
Package: gitlab
Version: 8.4.3+dfsg-12
Severity: grave
Tags: security
Hello,
Somehow, part of the gitlab configuration process created a file
called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
/usr/share/gitlab-shell/.gitlab_shell_secret. I don't know its
purpose, but I would assume that it is some form of secret key.
However, the /var/lib/gitlab/.gitlab_shell_secret file is
world-readable, which is not likely to be the desired file mode. 640
would be - presumably - more appropriate.
Best wishes,
Julian
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gitlab depends on:
ii adduser 3.114
ii asciidoctor 1.5.4-1
ii bc 1.06.95-9+b1
ii bundler 1.11.2-1
ii debconf [debconf-2.0] 1.5.59
ii git 1:2.8.0~rc3-1
ii gitlab-shell 2.6.10-1
ii gitlab-workhorse 0.6.3-1
ii init-system-helpers 1.29
ii letsencrypt 0.4.1-1
ii libjs-chartjs 1.0.2-1
ii libjs-clipboard 1.4.2-1
ii libjs-fuzzaldrin-plus 0.3.1-1
ii libjs-graphael 0.5+dfsg-1
ii libjs-jquery-cookie 10-2
ii libjs-jquery-history 10-2
ii libjs-jquery-nicescroll 3.6.6-1
ii nginx 1.9.10-1
ii nginx-full [nginx] 1.9.10-1
ii nodejs 4.3.1~dfsg-3
ii postgresql 9.5+172
ii postgresql-client 9.5+172
ii postgresql-client-9.4 [postgresql-client] 9.4.6-0+deb8u1
ii postgresql-client-9.5 [postgresql-client] 9.5.1-1
ii rake 10.5.0-2
ii redis-server 2:3.0.6-1
ii ruby 1:2.3.0+1
ii ruby-ace-rails-ap 3.0.3-2
ii ruby-activerecord-deprecated-finders 1.0.4-1
ii ruby-activerecord-session-store 0.1.1-3
ii ruby-acts-as-taggable-on 3.5.0-2
ii ruby-addressable 2.3.8-1
ii ruby-after-commit-queue 1.3.0-1
ii ruby-allocations 1.0.3-1+b2
ii ruby-asana 0.4.0-1
ii ruby-attr-encrypted 1.3.4-1
ii ruby-babosa 1.0.2-1
ii ruby-bootstrap-sass 3.3.5.1-3
ii ruby-browser 1.0.1-1
ii ruby-cal-heatmap-rails 3.5.1+dfsg-1
ii ruby-carrierwave 0.10.0+gh-2
ii ruby-charlock-holmes 0.7.3+dfsg-2+b2
ii ruby-coffee-rails 4.1.0-2
ii ruby-colorize 0.7.7-1
ii ruby-connection-pool 2.2.0-1
ii ruby-creole 0.5.0-2
ii ruby-d3-rails 3.5.6+dfsg-1
ii ruby-default-value-for 3.0.1-1
ii ruby-devise 3.5.6-2
ii ruby-devise-async 0.9.0-1
ii ruby-devise-two-factor 2.0.0-1
ii ruby-diffy 3.0.6-1
ii ruby-doorkeeper 2.2.1-1
ii ruby-dropzonejs-rails 0.7.1-1
ii ruby-email-reply-parser 0.5.8-1
ii ruby-fog 1.34.0-3
ii ruby-fogbugz 0.2.1-2
ii ruby-font-awesome-rails 4.3.0.0-1
ii ruby-gemnasium-gitlab-service 0.2.6-1
ii ruby-github-linguist 4.7.2-2
ii ruby-github-markup 1.3.3+dfsg-1
ii ruby-gitlab-emoji 0.2.1-1
ii ruby-gitlab-flowdock-git-hook 1.0.1-1
ii ruby-gitlab-git 7.2.24-1
ii ruby-gollum-lib 4.1.0-3
ii ruby-gon 6.0.1-1
ii ruby-grape 0.13.0-1
ii ruby-grape-entity 0.5.0-1
ii ruby-haml-rails 0.9.0-4
ii ruby-hipchat 1.5.2-2
ii ruby-html-pipeline 1.11.0-1
ii ruby-httparty 0.13.5-1
ii ruby-influxdb 0.2.3-1
ii ruby-jquery-atwho-rails 1.3.2-2
ii ruby-jquery-rails 4.0.5-1
ii ruby-jquery-scrollto-rails 1.4.3+dfsg-1
ii ruby-jquery-turbolinks 2.1.0~dfsg-1
ii ruby-jquery-ui-rails 5.0.5-3
ii ruby-kaminari 0.16.3-1
ii ruby-mail-room 0.6.1-1
ii ruby-method-source 0.8.2-2
ii ruby-mousetrap-rails 1.4.6-5
ii ruby-nested-form 0.3.2-2
ii ruby-net-ssh 1:3.0.1-3
ii ruby-nokogiri 1.6.7.2-3
ii ruby-nprogress-rails 0.1.6.7-2
ii ruby-oauth2 1.0.0-2
ii ruby-octokit 3.8.0-1
ii ruby-omniauth 1.3.1-1
ii ruby-omniauth-azure-oauth2 0.0.6-1
ii ruby-omniauth-bitbucket 0.0.2-1
ii ruby-omniauth-cas3 1.1.3-1
ii ruby-omniauth-crowd 2.2.3-2
ii ruby-omniauth-facebook 3.0.0-1
ii ruby-omniauth-github 1.1.2-2
ii ruby-omniauth-gitlab 1.0.0-2
ii ruby-omniauth-google-oauth2 0.2.4-1
ii ruby-omniauth-kerberos 0.3.0-3
ii ruby-omniauth-ldap 1.0.5-1
ii ruby-omniauth-saml 1.5.0-1
ii ruby-omniauth-shibboleth 1.2.1-1
ii ruby-omniauth-twitter 1.2.1-1
ii ruby-org 0.9.12-1
ii ruby-paranoia 2.1.3-1
ii ruby-pg 0.18.4-1
ii ruby-rack-attack 4.3.1-1
ii ruby-rack-cors 0.4.0-1
ii ruby-rack-oauth2 1.2.1-2
ii ruby-rails 2:4.2.5.2-2
ii ruby-rails-deprecated-sanitizer 1.0.3-1
ii ruby-raphael-rails 2.1.2~dfsg-1
ii ruby-recaptcha 0.4.0-1
ii ruby-redcarpet 3.3.4-2
ii ruby-redcloth 4.2.9-5+b3
ii ruby-redis-namespace 1.5.2-3
ii ruby-redis-rails 4.0.0-1
ii ruby-request-store 1.3.0-1
ii ruby-responders 2.1.1-1
ii ruby-rouge 1.10.1-1
ii ruby-rqrcode-rails3 0.1.7-1
ii ruby-sanitize 2.1.0-2
ii ruby-sass-rails 5.0.4-1
ii ruby-seed-fu 2.3.5-1
ii ruby-select2-rails 3.5.9.3-2
ii ruby-sentry-raven 0.15.3-1
ii ruby-settingslogic 2.0.9-3
ii ruby-sidekiq 4.0.1+dfsg-2
ii ruby-sidekiq-cron 0.4.2-4
ii ruby-sinatra 1.4.7-3
ii ruby-six 0.2.0-3
ii ruby-slack-notifier 1.2.1-1
ii ruby-sprockets 3.3.0-1
ii ruby-state-machines-activerecord 0.3.0-1
ii ruby-task-list 1.0.2-2
ii ruby-tinder 1.10.1-1
ii ruby-turbolinks 2.5.3-2
ii ruby-uglifier 2.7.2-1
ii ruby-underscore-rails 1.8.2+dfsg-1
ii ruby-unf 0.1.4-1
ii ruby-unicorn-worker-killer 0.4.2-1
ii ruby-version-sorter 2.0.0+dfsg-2+b4
ii ruby-virtus 1.0.5-2
ii ruby-wikicloth 0.8.1+dfsg-3
ii ruby2.1 [ruby-interpreter] 2.1.5-4
ii ruby2.2 [ruby-interpreter] 2.2.4-1
ii ruby2.3 [ruby-interpreter] 2.3.0-5
ii unicorn 4.9.0-2+b2
gitlab recommends no packages.
gitlab suggests no packages.
-- Configuration Files:
/etc/gitlab/gitlab-debian.conf changed [not included]
/etc/gitlab/gitlab.yml changed [not included]
-- debconf information excluded
More information about the Pkg-ruby-extras-maintainers
mailing list