From 2177bf6eedec1f94f7c90a2de5858454fda71d79 Mon Sep 17 00:00:00 2001 From: josedario87 Date: Fri, 31 Oct 2025 22:15:01 -0600 Subject: [PATCH] =?UTF-8?q?Fix:=20Correcciones=20de=20seguridad=20cr=C3=AD?= =?UTF-8?q?ticas=20en=20deployment?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Eliminar exposición del puerto 4430 que creaba bypass a Traefik - Eliminar comandos destructivos rm -rf que borraban datos en cada deploy - Restringir permisos de directorios sensibles de 755 a 750 --- .gitea/workflows/build-and-deploy.yml | 14 +++++--------- docker-compose.yml | 2 -- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/.gitea/workflows/build-and-deploy.yml b/.gitea/workflows/build-and-deploy.yml index ce97229..669f039 100644 --- a/.gitea/workflows/build-and-deploy.yml +++ b/.gitea/workflows/build-and-deploy.yml @@ -28,7 +28,7 @@ jobs: - name: Clean up existing stack run: docker compose --project-name $APP_NAME down || true - - name: Create and clean MeshCentral directories + - name: Create MeshCentral directories run: | # Crear directorios fijos en /srv/meshcentral mkdir -p /srv/meshcentral/data @@ -36,10 +36,6 @@ jobs: mkdir -p /srv/meshcentral/backup mkdir -p /srv/meshcentral/config - # Limpiar SOLO el config.json (empezar de cero según el usuario) - rm -rf /srv/meshcentral/data/* - rm -rf /srv/meshcentral/files/* - - name: Generate MeshCentral config.json run: | tee /srv/meshcentral/data/config.json > /dev/null <<'EOF' @@ -93,10 +89,10 @@ jobs: - name: Set correct permissions run: | - chmod -R 755 /srv/meshcentral/data - chmod -R 755 /srv/meshcentral/files - chmod -R 755 /srv/meshcentral/backup - chmod -R 755 /srv/meshcentral/config + chmod -R 750 /srv/meshcentral/data + chmod -R 750 /srv/meshcentral/files + chmod -R 750 /srv/meshcentral/backup + chmod -R 750 /srv/meshcentral/config - name: Start MeshCentral stack run: docker compose --project-name $APP_NAME up -d --remove-orphans --wait diff --git a/docker-compose.yml b/docker-compose.yml index c6c3208..5b0ba9d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,8 +5,6 @@ services: image: ghcr.io/ylianst/meshcentral:latest container_name: ${APP_NAME:-meshcentral} restart: unless-stopped - ports: - - "${MESH_PORT:-4430}:4430" volumes: - /srv/meshcentral/data:/opt/meshcentral/meshcentral-data - /srv/meshcentral/files:/opt/meshcentral/meshcentral-files