[Bug] - mkdir jwt - permission denied

[jhult]

• Gitea version (or commit ref): 1.15.0+dev-453-g4fcae3d06 via Docker image gitea/gitea:latest-rootless
• Database:
  • SQLite

Description

...th2/jwtsigningkey.go:360:loadOrCreateAsymmetricKey() [F] Error generating private key: mkdir /var/lib/gitea/custom/jwt: permission denied

This causes the Docker container to continually restart.

Related issue: #15912
Related pull request: #16010

[yfreund]

I also encountered this issue - this is caused by the application setting permissions on /var/lib/gitea/custom to 500 prior to creating /var/lib/gitea/custom/jwt. I had to manually create the latter as a workaround (sudo mkdir custom/jwt && sudo chown gitea:gitea custom/jwt).

[zeripath]

You can set:

[oauth2] JWT_SIGNING_PRIVATE_KEY_FILE to an absolute path or just create the KeyFile as necessary.

More information is available here: https://docs.gitea.io/en-us/config-cheat-sheet/#oauth2-oauth2

[yfreund]

Thanks for the additional feedback @zeripath - I still believe the folder permissions should be altered, or changed after the subfolder is created. This should be a fairly trivial alteration to docker/rootless/usr/local/bin/docker-setup.sh:

# Prepare custom folder
mkdir -p ${GITEA_CUSTOM} && chmod 0500 ${GITEA_CUSTOM}

I would be happy to submit a PR, but I have no further information as to why these permissions are set to 0500, so I'm not sure which approach would be better - setting the permissions to 0700 or moving the second command further down the file (unfortunately the reason hasn't been documented here).

[zeripath]

Yeah it appears to be a breaking change by default - I'm gonna mark it as breaking and we're gonna need to think about what we do by default here.

[6543]

Well two options:
A. switch back old default
B. Make somehow sure it dont break

[zeripath]

thanks @6543 - I would guess we should have the default be a fallback to the old case when it can't create - with a log Error.

[6543]

good idear :) cc @KN4CK3R