Use mode 0700 for redis and postgresql log dirs

Jacob Vosmaer
1 parent 2838abd6
Showing 3 changed files with 19 additions and 22 deletions Show diff stats
CHANGELOG
files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
files/gitlab-cookbooks/gitlab/recipes/redis.rb
@@ -19,6 +19,7 @@ omnibus-gitlab repository.
 - Update Git to version 2.0.0
 - Make Runit log rotation configurable
 - Change default Runit log rotation from 10x1MB to 30x24h
+- Security: Restrict redis and postgresql log directory permissions to 0700
  
 6.9.2
 - Create the authorized-keys.lock file for gitlab-shell 1.9.4
@@ -34,20 +34,16 @@ user postgresql_user do
   home node['gitlab']['postgresql']['home']
 end
  
-directory postgresql_log_dir do
-  owner node['gitlab']['postgresql']['username']
-  recursive true
-end
-
-directory postgresql_dir do
-  owner node['gitlab']['postgresql']['username']
-  mode "0700"
-end
-
-directory postgresql_data_dir do
-  owner node['gitlab']['postgresql']['username']
-  mode "0700"
-  recursive true
+[
+  postgresql_dir,
+  postgresql_data_dir,
+  postgresql_log_dir
+].each do |dir|
+  directory dir do
+    owner node['gitlab']['postgresql']['username']
+    mode "0700"
+    recursive true
+  end
 end
  
 link postgresql_data_dir_symlink do
@@ -32,14 +32,14 @@ user redis_user do
   home node['gitlab']['redis']['home']
 end
  
-directory redis_log_dir do
-  owner node['gitlab']['redis']['username']
-  recursive true
-end
-
-directory redis_dir do
-  owner node['gitlab']['redis']['username']
-  mode "0700"
+[
+  redis_dir,
+  redis_log_dir
+].each do |dir|
+  directory dir do
+    owner node['gitlab']['redis']['username']
+    mode "0700"
+  end
 end
  
 redis_config = File.join(redis_dir, "redis.conf")
...	...	@@ -19,6 +19,7 @@ omnibus-gitlab repository.
19	19	- Update Git to version 2.0.0
20	20	- Make Runit log rotation configurable
21	21	- Change default Runit log rotation from 10x1MB to 30x24h
	22	+- Security: Restrict redis and postgresql log directory permissions to 0700
22	23
23	24	6.9.2
24	25	- Create the authorized-keys.lock file for gitlab-shell 1.9.4
...	...
...	...	@@ -34,20 +34,16 @@ user postgresql_user do
34	34	home node['gitlab']['postgresql']['home']
35	35	end
36	36
37		-directory postgresql_log_dir do
38		- owner node['gitlab']['postgresql']['username']
39		- recursive true
40		-end
41		-
42		-directory postgresql_dir do
43		- owner node['gitlab']['postgresql']['username']
44		- mode "0700"
45		-end
46		-
47		-directory postgresql_data_dir do
48		- owner node['gitlab']['postgresql']['username']
49		- mode "0700"
50		- recursive true
	37	+[
	38	+ postgresql_dir,
	39	+ postgresql_data_dir,
	40	+ postgresql_log_dir
	41	+].each do \|dir\|
	42	+ directory dir do
	43	+ owner node['gitlab']['postgresql']['username']
	44	+ mode "0700"
	45	+ recursive true
	46	+ end
51	47	end
52	48
53	49	link postgresql_data_dir_symlink do
...	...
...	...	@@ -32,14 +32,14 @@ user redis_user do
32	32	home node['gitlab']['redis']['home']
33	33	end
34	34
35		-directory redis_log_dir do
36		- owner node['gitlab']['redis']['username']
37		- recursive true
38		-end
39		-
40		-directory redis_dir do
41		- owner node['gitlab']['redis']['username']
42		- mode "0700"
	35	+[
	36	+ redis_dir,
	37	+ redis_log_dir
	38	+].each do \|dir\|
	39	+ directory dir do
	40	+ owner node['gitlab']['redis']['username']
	41	+ mode "0700"
	42	+ end
43	43	end
44	44
45	45	redis_config = File.join(redis_dir, "redis.conf")
...	...