[DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file
Julian Gilbey
jdg at debian.org
Mon Mar 28 07:30:25 UTC 2016
On Mon, Mar 28, 2016 at 06:30:51AM +0200, Salvatore Bonaccorso wrote:
> Hi Julian,
>
> On Sun, Mar 27, 2016 at 07:04:27PM +0100, Julian Gilbey wrote:
> > Hello,
> >
> > I'm reporting this directly rather than via the BTS as it may be a
> > security hole.
> >
> > Somehow, part of the gitlab configuration process created a file
> > called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
> > /usr/share/gitlab-shell/.gitlab_shell_secret. I don't know its
> > purpose, but I would assume that it is some form of secret key.
> > However, the /var/lib/gitlab/.gitlab_shell_secret file is
> > world-readable, which is not likely to be the desired file mode. 640
> > would be - presumably - more appropriate.
> >
> > Other non-security bugs going to the BTS....
>
> Since our gitlab package is not yet in a stable release, please report
> this directly to the BTS. I think it's safe to do so in this case.
>
> Regards,
> Salvatore
OK, shall do, thanks!
Julian
More information about the Pkg-ruby-extras-maintainers
mailing list