From 35848950c34a13c2e2a9b84792ed7408df6fac96 Mon Sep 17 00:00:00 2001
From: Praveen Arimbrathodiyil <praveen@debian.org>
Date: Tue, 5 Apr 2016 12:37:43 +0530
Subject: [PATCH] restrict file permissions for secrets

---
 debian/changelog     | 1 +
 debian/rake-tasks.sh | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 21dc252c65..2ce03a14c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ gitlab (8.5.8+dfsg-4) UNRELEASED; urgency=medium
   * Tighten version requirements for dependencies
   * Fix permissions for uploads
   * Run db:migrate when db exist
+  * Restrict file permissions for secret files (Closes: #819412)
 
  -- Pirate Praveen <praveen@debian.org>  Tue, 05 Apr 2016 11:38:52 +0530
 
diff --git a/debian/rake-tasks.sh b/debian/rake-tasks.sh
index 5077c8fe08..a9e15b3881 100755
--- a/debian/rake-tasks.sh
+++ b/debian/rake-tasks.sh
@@ -14,8 +14,15 @@ if ! [ -f "${gitlab_app_root}/config/secrets.yml" ]; then
 
   cp ${gitlab_app_root}/config/secrets.yml.example ${gitlab_app_root}/config/secrets.yml
   sed -i "s/# db_key_base:/db_key_base: ${gitlab_app_secret}/" ${gitlab_app_root}/config/secrets.yml
-  echo ${gitlab_app_root} > ${gitlab_app_root}/.secret
+  echo ${gitlab_app_secret} > ${gitlab_app_root}/.secret
   }
+
+# Restrict permissions for secret files
+
+chmod 0700 ${gitlab_data_dir}/.secret
+chmod 0700 ${gitlab_data_dir}/.gitlab_shell_secret
+chmod 0700 ${gitlab_conf}/secrets.yml
+
 fi
 if [ "$(LANG=C su postgres -c "psql gitlab_production -c \"\d\"")" = \
 "No relations found." ]; then