Change permissions on backup files

Use more restrictive permissions for backup tar files and for the db,
uploads, and repositories directories inside the tar files.

3 files changed, 48 insertions, 7 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 7bc561b6e06..6eddab758ec 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -28,6 +28,7 @@ v 7.9.0 (unreleased)
   - Add a service to send updates to an Irker gateway (Romain Coltel)
   - Add brakeman (security scanner for Ruby on Rails)
   - Slack username and channel options
+  - Restrict permissions on backup files
   - Add grouped milestones from all projects to dashboard.
   - Web hook sends pusher email as well as commiter
   - Add Bitbucket omniauth provider.
diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb
index ab8db4e9837..b499e5755bd 100644
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@@ -17,14 +17,18 @@ module Backup
         file << s.to_yaml.gsub(/^---\n/,'')
       end
 
+      FileUtils.chmod_R(0700, %w{db uploads repositories})
+
       # create archive
       $progress.print "Creating backup archive: #{tar_file} ... "
+      orig_umask = File.umask(0077)
       if Kernel.system('tar', '-cf', tar_file, *BACKUP_CONTENTS)
         $progress.puts "done".green
       else
         puts "creating archive #{tar_file} failed".red
         abort 'Backup failed'
       end
+      File.umask(orig_umask)
 
       upload(tar_file)
     end
diff --git a/spec/tasks/gitlab/backup_rake_spec.rb b/spec/tasks/gitlab/backup_rake_spec.rb
index 60942cc95fc..e6763be7b8f 100644
--- a/spec/tasks/gitlab/backup_rake_spec.rb
+++ b/spec/tasks/gitlab/backup_rake_spec.rb
@@ -10,17 +10,17 @@ describe 'gitlab:app namespace rake task' do
     Rake::Task.define_task :environment
   end
 
+  def run_rake_task(task_name)
+    Rake::Task[task_name].reenable
+    Rake.application.invoke_task task_name
+  end
+
   describe 'backup_restore' do
     before do
       # avoid writing task output to spec progress
       allow($stdout).to receive :write
     end
 
-    let :run_rake_task do
-      Rake::Task["gitlab:backup:restore"].reenable
-      Rake.application.invoke_task "gitlab:backup:restore"
-    end
-
     context 'gitlab version' do
       before do
         Dir.stub glob: []
@@ -36,7 +36,9 @@ describe 'gitlab:app namespace rake task' do
 
       it 'should fail on mismatch' do
         YAML.stub load_file: {gitlab_version: "not #{gitlab_version}" }
-        expect { run_rake_task }.to raise_error SystemExit
+        expect { run_rake_task('gitlab:backup:restore') }.to(
+          raise_error SystemExit
+        )
       end
 
       it 'should invoke restoration on mach' do
@@ -44,9 +46,43 @@ describe 'gitlab:app namespace rake task' do
         expect(Rake::Task["gitlab:backup:db:restore"]).to receive :invoke
         expect(Rake::Task["gitlab:backup:repo:restore"]).to receive :invoke
         expect(Rake::Task["gitlab:shell:setup"]).to receive :invoke
-        expect { run_rake_task }.to_not raise_error
+        expect { run_rake_task('gitlab:backup:restore') }.to_not raise_error
       end
     end
 
   end # backup_restore task
+
+  describe 'backup_create' do
+    def tars_glob
+      Dir.glob(File.join(Gitlab.config.backup.path, '*_gitlab_backup.tar'))
+    end
+
+    before :all do
+      FileUtils.rm(tars_glob)
+      orig_stdout = $stdout
+      $stdout = StringIO.new
+      run_rake_task('gitlab:backup:create')
+      $stdout = orig_stdout
+
+      @backup_tar = tars_glob.first
+    end
+
+    before do
+      backup_path = File.join(Gitlab.config.backup.path, 'test')
+      allow(Gitlab.config.backup).to receive(:path).and_return(backup_path)
+    end
+
+    it 'should set correct permissions on the tar file' do
+      expect(File.exist?(@backup_tar)).to be_truthy
+      expect(File::Stat.new(@backup_tar).mode.to_s(8)).to eq('100600')
+    end
+
+    it 'should set correct permissions on the tar contents' do
+      tar_contents, exit_status = Gitlab::Popen.popen(
+        %W{tar -tvf #{@backup_tar} db uploads repositories}
+      )
+      expect(exit_status).to eq(0)
+      expect(tar_contents).not_to match(/^.{4,9}[rwx]/)
+    end
+  end # backup_create task
 end # gitlab:app namespace