[DRE-maint] Possible security flaw in gitlab: world readable gitlab_shell_secret file

Julian Gilbey jdg at debian.org
Mon Mar 28 07:30:25 UTC 2016


On Mon, Mar 28, 2016 at 06:30:51AM +0200, Salvatore Bonaccorso wrote:
> Hi Julian,
> 
> On Sun, Mar 27, 2016 at 07:04:27PM +0100, Julian Gilbey wrote:
> > Hello,
> > 
> > I'm reporting this directly rather than via the BTS as it may be a
> > security hole.
> > 
> > Somehow, part of the gitlab configuration process created a file
> > called /var/lib/gitlab/.gitlab_shell_secret, with a symlink from
> > /usr/share/gitlab-shell/.gitlab_shell_secret.  I don't know its
> > purpose, but I would assume that it is some form of secret key.
> > However, the /var/lib/gitlab/.gitlab_shell_secret file is
> > world-readable, which is not likely to be the desired file mode.  640
> > would be - presumably - more appropriate.
> > 
> > Other non-security bugs going to the BTS....
> 
> Since our gitlab package is not yet in a stable release, please report
> this directly to the BTS. I think it's safe to do so in this case.
> 
> Regards,
> Salvatore

OK, shall do, thanks!

   Julian



More information about the Pkg-ruby-extras-maintainers mailing list