Bitbucket is being run with a umask that contains potentially unsafe settings

Issue #9 resolved
Former user created an issue

Could you fix permission settings in Dockerfile to avoid warning in log files:

Bitbucket is being run with a umask that contains potentially unsafe settings.
The following issues were found with the mask "u=rwx,g=rwx,o=rx" (0002):
 - access is allowed to 'others'. It is recommended that 'others' be denied
   all access for security reasons.
 - write access is allowed to 'group'. It is recommend that 'group' be
   denied write access. Read access to a restricted group is recommended
   to allow access to the logs.

The recommended umask for Bitbucket is "u=,g=w,o=rwx" (0027) and can be
configured in setenv.sh

Comments (4)

  1. Dave Chevell

    I've seen this issue in the past too, but I can't replicate it any longer. Definitely not in the Bitbucket 5 versions, and from a quick test not in the 4.14 one either. We can probably close this out since it no longer occurs, I'll do a bit more checking to see if I can pin down precisely when this was fixed though

    Edit: I was mistaken, see Paul's comments below

  2. Paul Thompson

    Unfortunately this is not fixed as of now and is still a valid issue, see reproduction case here, it happens right at the start of the image startup.

    > docker run --rm -it atlassian/bitbucket-server:5.1  
    User is currently root. Will change directory ownership to daemon:daemon, then downgrade permission to daemon
    Starting Atlassian Bitbucket as the current user
    
    Copying Elasticsearch configuration to /var/atlassian/application-data/bitbucket/shared/search
    
    Starting bundled Elasticsearch
        Hint: Run start-bitbucket.sh --no-search to skip starting Elasticsearch
    Bundled Elasticsearch started successfully
    
    Bitbucket is being run with a umask that contains potentially unsafe settings.
    The following issues were found with the mask "u=rwx,g=rx,o=rx" (0022):
     - Access is allowed to 'others'. It is recommended that 'others' be denied
       all access for security reasons.
    The recommended umask for Bitbucket is "u=,g=w,o=rwx" (0027) and can be
    configured in _start-webapp.sh
    
    Starting Bitbucket webapp at http://localhost:7990
    
  3. Log in to comment