Skip to content
Snippets Groups Projects

Assets directory

Closed Assets directory
assets_directory into master
Closed Marin Jankovski requested to merge assets_directory into master

Closes #492 (closed)

Set open permissions to all files in assets directory while disallowing the deletion using the sticky bit. This will allow running the gitlab-rake assets:precompile task.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
202 202 end
203 203 end
204 204
205 # Set the open permissions so assets:precompile can be triggered from the
206 # rake task. Set the sticky bit so no one but the owner can delete.
207 execute "change permissions" do
208 command "chmod -R 1777 /opt/gitlab/embedded/service/gitlab-rails/public/assets"
  • Marin Jankovski
    Marin Jankovski @marin ·
    Author Maintainer

    Apart from the no way argument, I would like to know why would it be a problem given that the owner is still root and you cannot delete files if you don't own them. Is there another option for this?

  • username-removed-5302
    username-removed-5302 @jacobvosmaer ·
    Contributor

    Any system user could insert malicious javascript because they get write access. That is a problem, no?

  • Marin Jankovski Status changed to closed

    Status changed to closed

  • Marin Jankovski
    Marin Jankovski @marin ·
    Author Maintainer

    Yup

  • username-removed-5302
    username-removed-5302 @jacobvosmaer ·
    Contributor

    Thanks for calling me out on my emotional reaction to mode 777 :)

    • Please register or sign in to reply