[DRE-maint] Bug#819412: gitlab: creates world-readable secrets file

Julian Gilbey jdg at debian.org
Mon Mar 28 07:32:59 UTC 2016


Package: gitlab
Version: 8.4.3+dfsg-12
Severity: grave
Tags: security

Hello,

Somehow, part of the gitlab configuration process created a file
called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
/usr/share/gitlab-shell/.gitlab_shell_secret.  I don't know its
purpose, but I would assume that it is some form of secret key.
However, the /var/lib/gitlab/.gitlab_shell_secret file is
world-readable, which is not likely to be the desired file mode.  640
would be - presumably - more appropriate.

Best wishes,

   Julian

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gitlab depends on:
ii  adduser                                    3.114
ii  asciidoctor                                1.5.4-1
ii  bc                                         1.06.95-9+b1
ii  bundler                                    1.11.2-1
ii  debconf [debconf-2.0]                      1.5.59
ii  git                                        1:2.8.0~rc3-1
ii  gitlab-shell                               2.6.10-1
ii  gitlab-workhorse                           0.6.3-1
ii  init-system-helpers                        1.29
ii  letsencrypt                                0.4.1-1
ii  libjs-chartjs                              1.0.2-1
ii  libjs-clipboard                            1.4.2-1
ii  libjs-fuzzaldrin-plus                      0.3.1-1
ii  libjs-graphael                             0.5+dfsg-1
ii  libjs-jquery-cookie                        10-2
ii  libjs-jquery-history                       10-2
ii  libjs-jquery-nicescroll                    3.6.6-1
ii  nginx                                      1.9.10-1
ii  nginx-full [nginx]                         1.9.10-1
ii  nodejs                                     4.3.1~dfsg-3
ii  postgresql                                 9.5+172
ii  postgresql-client                          9.5+172
ii  postgresql-client-9.4 [postgresql-client]  9.4.6-0+deb8u1
ii  postgresql-client-9.5 [postgresql-client]  9.5.1-1
ii  rake                                       10.5.0-2
ii  redis-server                               2:3.0.6-1
ii  ruby                                       1:2.3.0+1
ii  ruby-ace-rails-ap                          3.0.3-2
ii  ruby-activerecord-deprecated-finders       1.0.4-1
ii  ruby-activerecord-session-store            0.1.1-3
ii  ruby-acts-as-taggable-on                   3.5.0-2
ii  ruby-addressable                           2.3.8-1
ii  ruby-after-commit-queue                    1.3.0-1
ii  ruby-allocations                           1.0.3-1+b2
ii  ruby-asana                                 0.4.0-1
ii  ruby-attr-encrypted                        1.3.4-1
ii  ruby-babosa                                1.0.2-1
ii  ruby-bootstrap-sass                        3.3.5.1-3
ii  ruby-browser                               1.0.1-1
ii  ruby-cal-heatmap-rails                     3.5.1+dfsg-1
ii  ruby-carrierwave                           0.10.0+gh-2
ii  ruby-charlock-holmes                       0.7.3+dfsg-2+b2
ii  ruby-coffee-rails                          4.1.0-2
ii  ruby-colorize                              0.7.7-1
ii  ruby-connection-pool                       2.2.0-1
ii  ruby-creole                                0.5.0-2
ii  ruby-d3-rails                              3.5.6+dfsg-1
ii  ruby-default-value-for                     3.0.1-1
ii  ruby-devise                                3.5.6-2
ii  ruby-devise-async                          0.9.0-1
ii  ruby-devise-two-factor                     2.0.0-1
ii  ruby-diffy                                 3.0.6-1
ii  ruby-doorkeeper                            2.2.1-1
ii  ruby-dropzonejs-rails                      0.7.1-1
ii  ruby-email-reply-parser                    0.5.8-1
ii  ruby-fog                                   1.34.0-3
ii  ruby-fogbugz                               0.2.1-2
ii  ruby-font-awesome-rails                    4.3.0.0-1
ii  ruby-gemnasium-gitlab-service              0.2.6-1
ii  ruby-github-linguist                       4.7.2-2
ii  ruby-github-markup                         1.3.3+dfsg-1
ii  ruby-gitlab-emoji                          0.2.1-1
ii  ruby-gitlab-flowdock-git-hook              1.0.1-1
ii  ruby-gitlab-git                            7.2.24-1
ii  ruby-gollum-lib                            4.1.0-3
ii  ruby-gon                                   6.0.1-1
ii  ruby-grape                                 0.13.0-1
ii  ruby-grape-entity                          0.5.0-1
ii  ruby-haml-rails                            0.9.0-4
ii  ruby-hipchat                               1.5.2-2
ii  ruby-html-pipeline                         1.11.0-1
ii  ruby-httparty                              0.13.5-1
ii  ruby-influxdb                              0.2.3-1
ii  ruby-jquery-atwho-rails                    1.3.2-2
ii  ruby-jquery-rails                          4.0.5-1
ii  ruby-jquery-scrollto-rails                 1.4.3+dfsg-1
ii  ruby-jquery-turbolinks                     2.1.0~dfsg-1
ii  ruby-jquery-ui-rails                       5.0.5-3
ii  ruby-kaminari                              0.16.3-1
ii  ruby-mail-room                             0.6.1-1
ii  ruby-method-source                         0.8.2-2
ii  ruby-mousetrap-rails                       1.4.6-5
ii  ruby-nested-form                           0.3.2-2
ii  ruby-net-ssh                               1:3.0.1-3
ii  ruby-nokogiri                              1.6.7.2-3
ii  ruby-nprogress-rails                       0.1.6.7-2
ii  ruby-oauth2                                1.0.0-2
ii  ruby-octokit                               3.8.0-1
ii  ruby-omniauth                              1.3.1-1
ii  ruby-omniauth-azure-oauth2                 0.0.6-1
ii  ruby-omniauth-bitbucket                    0.0.2-1
ii  ruby-omniauth-cas3                         1.1.3-1
ii  ruby-omniauth-crowd                        2.2.3-2
ii  ruby-omniauth-facebook                     3.0.0-1
ii  ruby-omniauth-github                       1.1.2-2
ii  ruby-omniauth-gitlab                       1.0.0-2
ii  ruby-omniauth-google-oauth2                0.2.4-1
ii  ruby-omniauth-kerberos                     0.3.0-3
ii  ruby-omniauth-ldap                         1.0.5-1
ii  ruby-omniauth-saml                         1.5.0-1
ii  ruby-omniauth-shibboleth                   1.2.1-1
ii  ruby-omniauth-twitter                      1.2.1-1
ii  ruby-org                                   0.9.12-1
ii  ruby-paranoia                              2.1.3-1
ii  ruby-pg                                    0.18.4-1
ii  ruby-rack-attack                           4.3.1-1
ii  ruby-rack-cors                             0.4.0-1
ii  ruby-rack-oauth2                           1.2.1-2
ii  ruby-rails                                 2:4.2.5.2-2
ii  ruby-rails-deprecated-sanitizer            1.0.3-1
ii  ruby-raphael-rails                         2.1.2~dfsg-1
ii  ruby-recaptcha                             0.4.0-1
ii  ruby-redcarpet                             3.3.4-2
ii  ruby-redcloth                              4.2.9-5+b3
ii  ruby-redis-namespace                       1.5.2-3
ii  ruby-redis-rails                           4.0.0-1
ii  ruby-request-store                         1.3.0-1
ii  ruby-responders                            2.1.1-1
ii  ruby-rouge                                 1.10.1-1
ii  ruby-rqrcode-rails3                        0.1.7-1
ii  ruby-sanitize                              2.1.0-2
ii  ruby-sass-rails                            5.0.4-1
ii  ruby-seed-fu                               2.3.5-1
ii  ruby-select2-rails                         3.5.9.3-2
ii  ruby-sentry-raven                          0.15.3-1
ii  ruby-settingslogic                         2.0.9-3
ii  ruby-sidekiq                               4.0.1+dfsg-2
ii  ruby-sidekiq-cron                          0.4.2-4
ii  ruby-sinatra                               1.4.7-3
ii  ruby-six                                   0.2.0-3
ii  ruby-slack-notifier                        1.2.1-1
ii  ruby-sprockets                             3.3.0-1
ii  ruby-state-machines-activerecord           0.3.0-1
ii  ruby-task-list                             1.0.2-2
ii  ruby-tinder                                1.10.1-1
ii  ruby-turbolinks                            2.5.3-2
ii  ruby-uglifier                              2.7.2-1
ii  ruby-underscore-rails                      1.8.2+dfsg-1
ii  ruby-unf                                   0.1.4-1
ii  ruby-unicorn-worker-killer                 0.4.2-1
ii  ruby-version-sorter                        2.0.0+dfsg-2+b4
ii  ruby-virtus                                1.0.5-2
ii  ruby-wikicloth                             0.8.1+dfsg-3
ii  ruby2.1 [ruby-interpreter]                 2.1.5-4
ii  ruby2.2 [ruby-interpreter]                 2.2.4-1
ii  ruby2.3 [ruby-interpreter]                 2.3.0-5
ii  unicorn                                    4.9.0-2+b2

gitlab recommends no packages.

gitlab suggests no packages.

-- Configuration Files:
/etc/gitlab/gitlab-debian.conf changed [not included]
/etc/gitlab/gitlab.yml changed [not included]

-- debconf information excluded



More information about the Pkg-ruby-extras-maintainers mailing list