Gitea local repostory permission 755 issue

Hi All,

I have installed the Gitea 1.19.1 container on a Raspberry Pi 4B using Docker Compose (note 1) and have used the command " volumes : /media/ext_ssd/gitea_data:/data" to redirect the container’s data to an external SSD.

However, when I create a new repository (test.git) in the Gitea web interface, the local directory’s permissions are 755 (note 2), which allows any logged-in user to access the repository data.

Is there any way to prevent everyone from being able to read the repository data when Gitea creates or modifies a repository?

我使用 docker-compose(注1) 在 raspberry pi 4b 上面安裝了 gitea1-19.2 的 container
並使用 volumes: /media/ext_ssd/gitea_data:/data 指令,把 container 的 data 導到我一個外部儲存的 SSD

不過我發現當我在 Gitea web 建立一個新的 repository (test.git) 的時候,他 local directory 的權限卻是 755 (注2)
這樣會讓這台能登入的帳號取得 repository 的資料

有沒有辦法能讓 Gitea 新增/修改 repository 的時候,讓權限至少不要讓 everyone 能做讀取?

Note 1:

version: “3”
external: false

image: gitea/gitea:latest
container_name: gitea
- USER_UID=1000
- USER_GID=1000
restart: always
- gitea
- /media/ext_ssd/gitea_data:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- “13000:3000”
- “10022:22”

Note 2:( we can see repo’s permission is 755)

drwxr-xr-x 7 eric eric 4096 Apr 28 03:00 .
drwxrwx— 3 eric eric 4096 Apr 28 03:00 …
drwxr-xr-x 2 eric eric 4096 Apr 28 03:00 branches
-rw-r–r-- 1 eric eric 66 Apr 28 03:00 config
-rw-r–r-- 1 eric eric 73 Apr 28 03:00 description
-rw-r–r-- 1 eric eric 21 Apr 28 03:00 HEAD
drwxr-xr-x 6 eric eric 4096 Apr 28 03:00 hooks
drwxr-xr-x 2 eric eric 4096 Apr 28 03:00 info
drwxr-xr-x 4 eric eric 4096 Apr 28 03:00 objects
drwxr-xr-x 4 eric eric 4096 Apr 28 03:00 refs
eric@raspberrypi:/media/ext_ssd/gitea_data/git/repositories/ericwang/test.git $

It looks like there is no security issue since parent folder .. has permission drwxrwx— meaning only eric or group members of eric can access test.git. You should be able to test with other user and get permission error.

There is good Linux utility namei -l /media/ext_ssd/gitea_data/git/repositories/ericwang/test.git which can show you permissions of parent folders all the way up to /. For example, my home directory:

dr-xr-xr-x root root /
drwxr-xr-x root root home
drwx------ jake jake jake
drwxr-xr-x jake jake Documents

You can see that Documents itself has insecure permission, but since jake above it has secure permission, Documents is also secure.

1 Like

It seems like it should be fine. If i set permission of gitea_data folder to 700 or 770

thanks for your kindly help :smiley:

1 Like