Omnibus reconfigure doesn't set the right permissions on the /etc/gitlab/ssl directory if the folder already exists
Logs from @bbodenmiller
Recipe: gitlab::add_trusted_certs
* directory[/etc/gitlab/ssl/trusted-certs] action create
- create new directory /etc/gitlab/ssl/trusted-certs
- change mode from '' to '0755'
- restore selinux security context
* directory[/opt/gitlab/embedded/ssl/certs] action create (up to date)
* file[/opt/gitlab/embedded/ssl/certs/README] action create
- create new file /opt/gitlab/embedded/ssl/certs/README
- update content in file /opt/gitlab/embedded/ssl/certs/README from none to e09a2d
--- /opt/gitlab/embedded/ssl/certs/README 2016-06-24 07:27:52.883133158 -0400
+++ /opt/gitlab/embedded/ssl/certs/.README20160624-25721-ldwz61 2016-06-24 07:27:52.882133180 -0400
@@ -1 +1,4 @@
+This directory is managed by omnibus-gitlab.
+ Any file placed in this directory will be ignored
+. Place certificates in /etc/gitlab/ssl/trusted-certs.
- change mode from '' to '0644'
- restore selinux security context
* ruby_block[Move existing certs and link to /opt/gitlab/embedded/ssl/certs] action run
* Moving existing certificates found in /opt/gitlab/embedded/ssl/certs
Moving /opt/gitlab/embedded/ssl/certs/61b4bd7e.0
* Symlinking existing certificates found in /etc/gitlab/ssl/trusted-certs
- execute the ruby block Move existing certs and link to /opt/gitlab/embedded/ssl/certs
Folder permissions:
sudo ls -lah /etc/gitlab/ssl/trusted-certs/
total 12K
drwxr-xr-x. 2 root root 4.0K Jun 24 08:02 .
drwx------. 3 root root 4.0K Jun 24 07:27 ..
lrwxrwxrwx. 1 root root 10 Jun 24 08:02 61b4bd7e.0 -> company.pem
-rw-r--r--. 1 root root 4.0K Oct 9 2015 company.pem
^Note the permissions on ..
which is /etc/gitlab/ssl
Permission error:
irb(main):002:0> OpenSSL::X509::Certificate.new(File.read("/etc/gitlab/ssl/trusted-certs/company.pem"))
Errno::EACCES: Permission denied @ rb_sysopen - /etc/gitlab/ssl/trusted-certs/company.pem
We should have omnibus manage the permission on that directory and apply a non-recursive chown.
-
root
should own/etc/gitlab/ssl
and/etc/gitlab/ssl/trusted-certs
-
/etc/gitlab/ssl
should be0755
, but not done recursively, as you may have files in there that you want locked down tighter. -
/etc/gitlab/ssl/trusted-certs
and all it's contents should be0755
^ This should be somewhat like the permissions setup for /etc/ssl
on your machine (it is for Ubuntu at least)