From ce8313e658203575833000f3b5e076b591f64b93 Mon Sep 17 00:00:00 2001
From: Jacob Vosmaer <contact@jacobvosmaer.nl>
Date: Thu, 12 Jun 2014 17:41:48 +0200
Subject: [PATCH] Use mode 0700 for redis and postgresql log dirs

---
 CHANGELOG                                           |  1 +
 files/gitlab-cookbooks/gitlab/recipes/postgresql.rb | 24 ++++++++++--------------
 files/gitlab-cookbooks/gitlab/recipes/redis.rb      | 16 ++++++++--------
 3 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 156096e..a2ef1ce 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -19,6 +19,7 @@ omnibus-gitlab repository.
 - Update Git to version 2.0.0
 - Make Runit log rotation configurable
 - Change default Runit log rotation from 10x1MB to 30x24h
+- Security: Restrict redis and postgresql log directory permissions to 0700
 
 6.9.2
 - Create the authorized-keys.lock file for gitlab-shell 1.9.4
diff --git a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
index bd1b8c6..919e8be 100644
--- a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
@@ -34,20 +34,16 @@ user postgresql_user do
   home node['gitlab']['postgresql']['home']
 end
 
-directory postgresql_log_dir do
-  owner node['gitlab']['postgresql']['username']
-  recursive true
-end
-
-directory postgresql_dir do
-  owner node['gitlab']['postgresql']['username']
-  mode "0700"
-end
-
-directory postgresql_data_dir do
-  owner node['gitlab']['postgresql']['username']
-  mode "0700"
-  recursive true
+[
+  postgresql_dir,
+  postgresql_data_dir,
+  postgresql_log_dir
+].each do |dir|
+  directory dir do
+    owner node['gitlab']['postgresql']['username']
+    mode "0700"
+    recursive true
+  end
 end
 
 link postgresql_data_dir_symlink do
diff --git a/files/gitlab-cookbooks/gitlab/recipes/redis.rb b/files/gitlab-cookbooks/gitlab/recipes/redis.rb
index 77034a1..34a4fe9 100644
--- a/files/gitlab-cookbooks/gitlab/recipes/redis.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/redis.rb
@@ -32,14 +32,14 @@ user redis_user do
   home node['gitlab']['redis']['home']
 end
 
-directory redis_log_dir do
-  owner node['gitlab']['redis']['username']
-  recursive true
-end
-
-directory redis_dir do
-  owner node['gitlab']['redis']['username']
-  mode "0700"
+[
+  redis_dir,
+  redis_log_dir
+].each do |dir|
+  directory dir do
+    owner node['gitlab']['redis']['username']
+    mode "0700"
+  end
 end
 
 redis_config = File.join(redis_dir, "redis.conf")
--
libgit2 0.21.2