diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | config/gitlab.yml.example | 1 | ||||
| -rw-r--r-- | config/initializers/1_settings.rb | 1 | ||||
| -rw-r--r-- | doc/raketasks/backup_restore.md | 17 | ||||
| -rw-r--r-- | lib/backup/manager.rb | 6 |
5 files changed, 23 insertions, 3 deletions
diff --git a/CHANGELOG b/CHANGELOG index d538bb42992..1c2155c0f9c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -37,6 +37,7 @@ v 7.13.0 (unreleased) - Correctly show anonymous authorized applications under Profile > Applications. - Query Optimization in MySQL. - Allow users to be blocked and unblocked via the API + - Allow custom backup archive permissions v 7.12.2 - Correctly show anonymous authorized applications under Profile > Applications. diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index c32ac2042d0..542106e86dd 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -247,6 +247,7 @@ production: &base ## Backup settings backup: path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600) # keep_time: 604800 # default: 0 (forever) (in seconds) # upload: # # Fog storage connection settings, see http://fog.io/storage/ . diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 7b5d488f59e..bd76c918485 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -170,6 +170,7 @@ Settings.gitlab_shell['ssh_path_prefix'] ||= Settings.send(:build_gitlab_shell_s Settings['backup'] ||= Settingslogic.new({}) Settings.backup['keep_time'] ||= 0 Settings.backup['path'] = File.expand_path(Settings.backup['path'] || "tmp/backups/", Rails.root) +Settings.backup['archive_permissions'] ||= 0600 Settings.backup['upload'] ||= Settingslogic.new({ 'remote_directory' => nil, 'connection' => nil }) # Convert upload connection settings to use symbol keys, to make Fog happy if Settings.backup['upload']['connection'] diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 39a13b14fba..4a2e2df357a 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -141,6 +141,23 @@ with the name of your bucket: } ``` +## Backup archive permissions + +The backup archives created by GitLab (123456_gitlab_backup.tar) will have owner/group git:git and 0600 permissions by default. +This is meant to avoid other system users reading GitLab's data. +If you need the backup archives to have different permissions you can use the 'archive_permissions' setting. + +``` +# In /etc/gitlab/gitlab.rb, for omnibus packages +gitlab_rails['backup_archive_permissions'] = 0644 # Makes the backup archives world-readable +``` + +``` +# In gitlab.yml, for installations from source: + backup: + archive_permissions: 0644 # Makes the backup archives world-readable +``` + ## Storing configuration files Please be informed that a backup does not store your configuration files. diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb index 6fa2079d1a8..5103b265ed4 100644 --- a/lib/backup/manager.rb +++ b/lib/backup/manager.rb @@ -20,14 +20,14 @@ module Backup # create archive $progress.print "Creating backup archive: #{tar_file} ... " - orig_umask = File.umask(0077) - if Kernel.system('tar', '-cf', tar_file, *backup_contents) + # Set file permissions on open to prevent chmod races. + tar_system_options = {out: [tar_file, 'w', Gitlab.config.backup.archive_permissions]} + if Kernel.system('tar', '-cf', '-', *backup_contents, tar_system_options) $progress.puts "done".green else puts "creating archive #{tar_file} failed".red abort 'Backup failed' end - File.umask(orig_umask) upload(tar_file) end |