Closed wxiaoguang closed 1 year ago
Is this issue addressed? I've starting testing gitea v1.20.0-rc2 (which includes 8302b95d6bfdbc40083a72e5d1b727fcb1e00940) locally and have gotten these errors on startup:
2023/06/26 18:44:53 ...es/setting/oauth2.go:140:loadOAuth2From() [F] save oauth2.JWT_SECRET failed: failed to save "/custom/conf/app.ini": open /custom/conf/app.ini: permission denied
In our config we set oauth2.ENABLE = false
. I think there are two problems here. The first is that gitea shouldn't attempt to modify the oauth2 configuration if not enabled. Second, ideally gitea would never write config back out to disk. As a user using configuration management and container images I don't want our config to by modified outside of these processes.
I do not think "/custom/conf/app.ini" is a right path for config file.
How do you run Gitea? Can you provide reproducible steps?
I do not think "/custom/conf/app.ini" is a right path for config file.
Paths are arbitrary and as far as I know Gitea doesn't actually care what the paths are. In our case we build our docker image with this Dockerfile: https://opendev.org/opendev/system-config/src/branch/master/docker/gitea/Dockerfile (modified to update the git tag checkout to v1.20.0-rc2 in this case) and deploy them with this docker-compose file: https://opendev.org/opendev/system-config/src/branch/master/playbooks/roles/gitea/templates/docker-compose.yaml.j2
How do you run Gitea? Can you provide reproducible steps?
I believe that there are two things necessary to reproduce this problem. The first is the app.ini file must have permissions set such that the gitea user cannot write to the file. Second gitea must see some file difference it wants to write back to that file.
To achieve the first item you can chown root:root app.ini
and chmod 0644 app.ini
then run gitea as a user other than root. The file will be owned by root with permissions only allowing root to modify the file. Then to trigger the write create an oauth2
section with this content:
[oauth2]
ENABLE = false
This seems to force gitea into thinking it needs to add JWT_SECRET to that config and write it back to the file. As mentioned above I think there are two bugs here. The first is that if oauth2 is disabled gitea shouldn't do anything with secrets for oauth2. The second is that gitea should not write back to its config file. If gitea generates new config like this unexpectedly then configuration can be broken and/or mismatch what configuration management believes is in place.
It is possible that this is separate issue and I'm happy to file one for that. I just saw this issue and it looks very similar (but this is happening outside of the gitea runtime and the issue I have is during runtime?)
Edited to fix file permissions (they were 0600
should be 0644
).
The first is that if oauth2 is disabled gitea shouldn't do anything with secrets for oauth2.
Yes, it is a bug, it doesn't make sense to generate the secret if the oauth2 is disabled.
The second is that gitea should not write back to its config file.
Gitea requires that the "app.ini" should be writable by itself, it's not well documented but many functions depend on this fact.
Description
Users should a have a clear and simple app.ini by default.