nucleo000/meshcentral
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Correcciones de seguridad críticas en deployment
All checks were successful
deploy-meshcentral / deploy (push) Successful in 12s
Details

Browse Source 
- Eliminar exposición del puerto 4430 que creaba bypass a Traefik
- Eliminar comandos destructivos rm -rf que borraban datos en cada deploy
- Restringir permisos de directorios sensibles de 755 a 750
This commit is contained in:
josedario87
2025-10-31 22:15:01 -06:00
parent 7e244084dc
commit 2177bf6eed
2 changed files with 5 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.gitea/workflows/build-and-deploy.yml
View File

@@ -28,7 +28,7 @@ jobs:
- name: Clean up existing stack - name: Clean up existing stack
run: docker compose --project-name $APP_NAME down || true run: docker compose --project-name $APP_NAME down || true
- name: Create and clean MeshCentral directories - name: Create MeshCentral directories
run: | run: |
# Crear directorios fijos en /srv/meshcentral # Crear directorios fijos en /srv/meshcentral
mkdir -p /srv/meshcentral/data mkdir -p /srv/meshcentral/data
@@ -36,10 +36,6 @@ jobs:
mkdir -p /srv/meshcentral/backup mkdir -p /srv/meshcentral/backup
mkdir -p /srv/meshcentral/config mkdir -p /srv/meshcentral/config
# Limpiar SOLO el config.json (empezar de cero según el usuario)
rm -rf /srv/meshcentral/data/*
rm -rf /srv/meshcentral/files/*
- name: Generate MeshCentral config.json - name: Generate MeshCentral config.json
run: | run: |
tee /srv/meshcentral/data/config.json > /dev/null <<'EOF' tee /srv/meshcentral/data/config.json > /dev/null <<'EOF'
@@ -93,10 +89,10 @@ jobs:
- name: Set correct permissions - name: Set correct permissions
run: | run: |
chmod -R 755 /srv/meshcentral/data chmod -R 750 /srv/meshcentral/data
chmod -R 755 /srv/meshcentral/files chmod -R 750 /srv/meshcentral/files
chmod -R 755 /srv/meshcentral/backup chmod -R 750 /srv/meshcentral/backup
chmod -R 755 /srv/meshcentral/config chmod -R 750 /srv/meshcentral/config
- name: Start MeshCentral stack - name: Start MeshCentral stack
run: docker compose --project-name $APP_NAME up -d --remove-orphans --wait run: docker compose --project-name $APP_NAME up -d --remove-orphans --wait

2
docker-compose.yml
View File

@@ -5,8 +5,6 @@ services:
image: ghcr.io/ylianst/meshcentral:latest image: ghcr.io/ylianst/meshcentral:latest
container_name: ${APP_NAME:-meshcentral} container_name: ${APP_NAME:-meshcentral}
restart: unless-stopped restart: unless-stopped
ports:
- "${MESH_PORT:-4430}:4430"
volumes: volumes:
- /srv/meshcentral/data:/opt/meshcentral/meshcentral-data - /srv/meshcentral/data:/opt/meshcentral/meshcentral-data
- /srv/meshcentral/files:/opt/meshcentral/meshcentral-files - /srv/meshcentral/files:/opt/meshcentral/meshcentral-files