INTERNAL_TOKEN_URI needlessly opened as RW #8518

New Issue

GiteaMirror · 2025-11-02T08:09:32-06:00

GiteaMirror commented

2025-11-02 08:09:32 -06:00

Originally created by @mapreri on GitHub (Feb 7, 2022).

7ce938b6c7/modules/setting/setting.go (L1039)

func loadInternalToken(sec *ini.Section) string {
...
	switch tempURI.Scheme {
	case "file":
		fp, err := os.OpenFile(tempURI.RequestURI(), os.O_RDWR, 0600)
		if err != nil {
			log.Fatal("Failed to open InternalTokenURI (%s): %v", uri, err)
		}
...

Using O_RDWR is not really useful here. I think that it should be possible to make it only O_RDONLY.

I spotted this as I tried to make the file 0400 and gitea failed to start.

Thanks for considering.

Originally created by @mapreri on GitHub (Feb 7, 2022). https://github.com/go-gitea/gitea/blob/7ce938b6c7a7c66eb615cf391e9742a65e3e3f95/modules/setting/setting.go#L1039 ```go func loadInternalToken(sec *ini.Section) string { ... switch tempURI.Scheme { case "file": fp, err := os.OpenFile(tempURI.RequestURI(), os.O_RDWR, 0600) if err != nil { log.Fatal("Failed to open InternalTokenURI (%s): %v", uri, err) } ... ``` Using `O_RDWR` is not really useful here. I think that it should be possible to make it only `O_RDONLY`. I spotted this as I tried to make the file `0400` and gitea failed to start. Thanks for considering.

GiteaMirror closed this issue

2025-11-02 08:09:32 -06:00

GiteaMirror commented

2025-11-02 08:09:32 -06:00

@wxiaoguang commented on GitHub (Feb 7, 2022):

But the logic is: if the file doesn't exist, Gitea will try to generate a new secret and write it into the file.

@wxiaoguang commented on GitHub (Feb 7, 2022): But the logic is: if the file doesn't exist, Gitea will try to generate a new secret and write it into the file.

GiteaMirror commented

2025-11-02 08:09:33 -06:00

@mapreri commented on GitHub (Feb 7, 2022):

Right, so gitea can try to open the file (RO), if ENOENT then create with
the content (and close it, it's not even needed to read the file then
anyway).

Imho if the file exists but doesn't contain the token gitea could just
error out (didn't go check if this marches the current behaviour), or could
try to re-open the file as RW as needed if that's the current behaviour for
"file present but empty" and you want to keep it.

(I'm not proposing a patch because I really have no expirience with go
(which is something I should fix..), and also because I don't have time to
try figure out how to build the project and test such change. )

On Mon, 7 Feb 2022, 3:30 pm wxiaoguang, @.***> wrote:

But the logic is: if the file doesn't exist, Gitea will try to generate a
new secret and write it into the file.

—
Reply to this email directly, view it on GitHub
https://github.com/go-gitea/gitea/issues/18655#issuecomment-1031530123,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAL7FE3TX4LK6ZJ4O22VVSTUZ7JPPANCNFSM5NXCWUKQ
.
Triage notifications on the go with GitHub Mobile for iOS
https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675
or Android
https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID:
@.***>

@mapreri commented on GitHub (Feb 7, 2022): Right, so gitea can try to open the file (RO), if ENOENT then create with the content (and close it, it's not even needed to read the file then anyway). Imho if the file exists but doesn't contain the token gitea could just error out (didn't go check if this marches the current behaviour), or could try to re-open the file as RW as needed if that's the current behaviour for "file present but empty" and you want to keep it. (I'm not proposing a patch because I really have no expirience with go (which is something I should fix..), and also because I don't have time to try figure out how to build the project and test such change. ) On Mon, 7 Feb 2022, 3:30 pm wxiaoguang, ***@***.***> wrote: > But the logic is: if the file doesn't exist, Gitea will try to generate a > new secret and write it into the file. > > — > Reply to this email directly, view it on GitHub > <https://github.com/go-gitea/gitea/issues/18655#issuecomment-1031530123>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAL7FE3TX4LK6ZJ4O22VVSTUZ7JPPANCNFSM5NXCWUKQ> > . > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. > > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

GiteaMirror commented

2025-11-02 08:09:33 -06:00

@mapreri commented on GitHub (Feb 8, 2022):

Thank you!!

@mapreri commented on GitHub (Feb 8, 2022): Thank you!!

GiteaMirror commented

2025-11-02 08:09:33 -06:00

@mmoya commented on GitHub (Apr 18, 2022):

Can #18657 be backported to 1.6?

gitea 1.6.5 fails to start in kubernetes when INTERNAL_TOKEN_URI is pointing to a file mounted from a readonly secret. The error is ...s/setting/setting.go:1085:loadInternalToken() [F] Failed to open InternalTokenURI (file:/etc/gitea/secrets/internal-token): open /etc/gitea/secrets/internal-token: permission denied

@mmoya commented on GitHub (Apr 18, 2022): Can #18657 be backported to 1.6? gitea 1.6.5 fails to start in kubernetes when `INTERNAL_TOKEN_URI` is pointing to a file mounted from a readonly secret. The error is `...s/setting/setting.go:1085:loadInternalToken() [F] Failed to open InternalTokenURI (file:/etc/gitea/secrets/internal-token): open /etc/gitea/secrets/internal-token: permission denied`

GiteaMirror commented

2025-11-02 08:09:34 -06:00

@lunny commented on GitHub (Apr 19, 2022):

Can #18657 be backported to 1.6?

gitea 1.6.5 fails to start in kubernetes when INTERNAL_TOKEN_URI is pointing to a file mounted from a readonly secret. The error is ...s/setting/setting.go:1085:loadInternalToken() [F] Failed to open InternalTokenURI (file:/etc/gitea/secrets/internal-token): open /etc/gitea/secrets/internal-token: permission denied

Will be released in v1.16.6

@lunny commented on GitHub (Apr 19, 2022): > Can #18657 be backported to 1.6? > > gitea 1.6.5 fails to start in kubernetes when `INTERNAL_TOKEN_URI` is pointing to a file mounted from a readonly secret. The error is `...s/setting/setting.go:1085:loadInternalToken() [F] Failed to open InternalTokenURI (file:/etc/gitea/secrets/internal-token): open /etc/gitea/secrets/internal-token: permission denied` Will be released in v1.16.6

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#8518