diff options
author | Patrick Bajao <ebajao@gitlab.com> | 2019-08-27 07:33:48 +0300 |
---|---|---|
committer | Patrick Bajao <ebajao@gitlab.com> | 2019-08-29 11:33:04 +0300 |
commit | 0e33f16b5f93382214f806737d3fcf5e065c5447 (patch) | |
tree | d7ba941512c78438f7605f63bbf255ecb9f22eab /lib | |
parent | 95ffd22f07d821f223388bd60a287365d3b7d8f6 (diff) |
Add system check for authorized_keys file perm
This check is being removed from gitlab-shell as the file
is now being managed by gitlab-rails.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/authorized_keys.rb | 21 | ||||
-rw-r--r-- | lib/system_check/app/authorized_keys_permission_check.rb | 37 | ||||
-rw-r--r-- | lib/system_check/rake_task/app_task.rb | 3 |
3 files changed, 54 insertions, 7 deletions
diff --git a/lib/gitlab/authorized_keys.rb b/lib/gitlab/authorized_keys.rb index 3fe72f5fd43..ca9b65b7c44 100644 --- a/lib/gitlab/authorized_keys.rb +++ b/lib/gitlab/authorized_keys.rb @@ -13,6 +13,15 @@ module Gitlab @logger = logger end + # Checks if the file is accessible or not + # + # @return [Boolean] + def accessible? + open_authorized_keys_file('r') { true } + rescue Errno::ENOENT, Errno::EACCES + false + end + # Add id and its key to the authorized_keys file # # @param [String] id identifier of key prefixed by `key-` @@ -102,10 +111,14 @@ module Gitlab [] end + def file + @file ||= Gitlab.config.gitlab_shell.authorized_keys_file + end + private def lock(timeout = 10) - File.open("#{authorized_keys_file}.lock", "w+") do |f| + File.open("#{file}.lock", "w+") do |f| f.flock File::LOCK_EX Timeout.timeout(timeout) { yield } ensure @@ -114,7 +127,7 @@ module Gitlab end def open_authorized_keys_file(mode) - File.open(authorized_keys_file, mode, 0o600) do |file| + File.open(file, mode, 0o600) do |file| file.chmod(0o600) yield file end @@ -141,9 +154,5 @@ module Gitlab def strip(key) key.split(/[ ]+/)[0, 2].join(' ') end - - def authorized_keys_file - Gitlab.config.gitlab_shell.authorized_keys_file - end end end diff --git a/lib/system_check/app/authorized_keys_permission_check.rb b/lib/system_check/app/authorized_keys_permission_check.rb new file mode 100644 index 00000000000..1c581f88abc --- /dev/null +++ b/lib/system_check/app/authorized_keys_permission_check.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +module SystemCheck + module App + class AuthorizedKeysPermissionCheck < SystemCheck::BaseCheck + set_name 'Is authorized keys file accessible?' + set_skip_reason 'skipped (authorized keys not enabled)' + + def skip? + !authorized_keys_enabled? + end + + def check? + authorized_keys.accessible? + end + + def show_error + try_fixing_it([ + "sudo chmod 700 #{File.dirname(authorized_keys.file)}", + "touch #{authorized_keys.file}", + "sudo chmod 600 #{authorized_keys.file}" + ]) + fix_and_rerun + end + + private + + def authorized_keys_enabled? + Gitlab::CurrentSettings.current_application_settings.authorized_keys_enabled + end + + def authorized_keys + @authorized_keys ||= Gitlab::AuthorizedKeys.new + end + end + end +end diff --git a/lib/system_check/rake_task/app_task.rb b/lib/system_check/rake_task/app_task.rb index cc32feb8604..e98cee510ff 100644 --- a/lib/system_check/rake_task/app_task.rb +++ b/lib/system_check/rake_task/app_task.rb @@ -30,7 +30,8 @@ module SystemCheck SystemCheck::App::RubyVersionCheck, SystemCheck::App::GitVersionCheck, SystemCheck::App::GitUserDefaultSSHConfigCheck, - SystemCheck::App::ActiveUsersCheck + SystemCheck::App::ActiveUsersCheck, + SystemCheck::App::AuthorizedKeysPermissionCheck ] end end |