diff --git a/CHANGELOG b/CHANGELOG index 156096e..a2ef1ce 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -19,6 +19,7 @@ omnibus-gitlab repository. - Update Git to version 2.0.0 - Make Runit log rotation configurable - Change default Runit log rotation from 10x1MB to 30x24h +- Security: Restrict redis and postgresql log directory permissions to 0700 6.9.2 - Create the authorized-keys.lock file for gitlab-shell 1.9.4 diff --git a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb index bd1b8c6..919e8be 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb @@ -34,20 +34,16 @@ user postgresql_user do home node['gitlab']['postgresql']['home'] end -directory postgresql_log_dir do - owner node['gitlab']['postgresql']['username'] - recursive true -end - -directory postgresql_dir do - owner node['gitlab']['postgresql']['username'] - mode "0700" -end - -directory postgresql_data_dir do - owner node['gitlab']['postgresql']['username'] - mode "0700" - recursive true +[ + postgresql_dir, + postgresql_data_dir, + postgresql_log_dir +].each do |dir| + directory dir do + owner node['gitlab']['postgresql']['username'] + mode "0700" + recursive true + end end link postgresql_data_dir_symlink do diff --git a/files/gitlab-cookbooks/gitlab/recipes/redis.rb b/files/gitlab-cookbooks/gitlab/recipes/redis.rb index 77034a1..34a4fe9 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/redis.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/redis.rb @@ -32,14 +32,14 @@ user redis_user do home node['gitlab']['redis']['home'] end -directory redis_log_dir do - owner node['gitlab']['redis']['username'] - recursive true -end - -directory redis_dir do - owner node['gitlab']['redis']['username'] - mode "0700" +[ + redis_dir, + redis_log_dir +].each do |dir| + directory dir do + owner node['gitlab']['redis']['username'] + mode "0700" + end end redis_config = File.join(redis_dir, "redis.conf") -- libgit2 0.21.2