Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

INTERNAL_TOKEN_URI needlessly opened as RW #18655

Closed
mapreri opened this issue Feb 7, 2022 · 5 comments · Fixed by #18657
Closed

INTERNAL_TOKEN_URI needlessly opened as RW #18655

mapreri opened this issue Feb 7, 2022 · 5 comments · Fixed by #18657

Comments

@mapreri
Copy link

mapreri commented Feb 7, 2022

fp, err := os.OpenFile(tempURI.RequestURI(), os.O_RDWR, 0600)

func loadInternalToken(sec *ini.Section) string {
...
	switch tempURI.Scheme {
	case "file":
		fp, err := os.OpenFile(tempURI.RequestURI(), os.O_RDWR, 0600)
		if err != nil {
			log.Fatal("Failed to open InternalTokenURI (%s): %v", uri, err)
		}
...

Using O_RDWR is not really useful here. I think that it should be possible to make it only O_RDONLY.

I spotted this as I tried to make the file 0400 and gitea failed to start.

Thanks for considering.

@wxiaoguang
Copy link
Contributor

But the logic is: if the file doesn't exist, Gitea will try to generate a new secret and write it into the file.

@mapreri
Copy link
Author

mapreri commented Feb 7, 2022 via email

Gusted pushed a commit to Gusted/gitea that referenced this issue Feb 7, 2022
- Only request write for `INTERNAL_TOKEN_URI` when no token was found.
- Resolves go-gitea#18655
lunny pushed a commit that referenced this issue Feb 8, 2022
* Only request write when necessary

- Only request write for `INTERNAL_TOKEN_URI` when no token was found.
- Resolves #18655

* Fix perm

* Update setting.go

* Update setting.go

* Update setting.go

Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>
@mapreri
Copy link
Author

mapreri commented Feb 8, 2022

Thank you!!

Chianina pushed a commit to Chianina/gitea that referenced this issue Mar 28, 2022
* Only request write when necessary

- Only request write for `INTERNAL_TOKEN_URI` when no token was found.
- Resolves go-gitea#18655

* Fix perm

* Update setting.go

* Update setting.go

* Update setting.go

Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>
@mmoya
Copy link

mmoya commented Apr 18, 2022

Can #18657 be backported to 1.6?

gitea 1.6.5 fails to start in kubernetes when INTERNAL_TOKEN_URI is pointing to a file mounted from a readonly secret. The error is ...s/setting/setting.go:1085:loadInternalToken() [F] Failed to open InternalTokenURI (file:/etc/gitea/secrets/internal-token): open /etc/gitea/secrets/internal-token: permission denied

lunny pushed a commit to lunny/gitea that referenced this issue Apr 19, 2022
* Only request write when necessary

- Only request write for `INTERNAL_TOKEN_URI` when no token was found.
- Resolves go-gitea#18655

* Fix perm

* Update setting.go

* Update setting.go

* Update setting.go

Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>
@lunny
Copy link
Member

lunny commented Apr 19, 2022

Can #18657 be backported to 1.6?

gitea 1.6.5 fails to start in kubernetes when INTERNAL_TOKEN_URI is pointing to a file mounted from a readonly secret. The error is ...s/setting/setting.go:1085:loadInternalToken() [F] Failed to open InternalTokenURI (file:/etc/gitea/secrets/internal-token): open /etc/gitea/secrets/internal-token: permission denied

Will be released in v1.16.6

techknowlogick pushed a commit that referenced this issue Apr 19, 2022
* Only request write when necessary

- Only request write for `INTERNAL_TOKEN_URI` when no token was found.
- Resolves #18655

* Fix perm

* Update setting.go

* Update setting.go

* Update setting.go

Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>

Co-authored-by: Gusted <[email protected]>
Co-authored-by: wxiaoguang <[email protected]>
Co-authored-by: zeripath <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants