Merge branch 'security-28074-root-passwork-in-migration-output' into 'master'

Never display the root password

See merge request gitlab-org/security/gitlab!1710

config/gitlab.yml.example

@@ -176,8 +176,10 @@ production: &base
     ## Application settings cache expiry in seconds (default: 60)
     # application_settings_cache_seconds: 60
 
-    ## Print initial root password to stdout during initialization (default: true)
-    # display_initial_root_password: true
+    ## Print initial root password to stdout during initialization (default: false)
+    # WARNING: setting this to true means that the root password will be printed in
+    # plaintext. This can be a security risk.
+    # display_initial_root_password: false
 
   ## Reply by email
   # Allow users to comment on issues and merge requests by replying to notification emails.

config/initializers/1_settings.rb

@@ -218,8 +218,7 @@
 Settings.gitlab['impersonation_enabled'] ||= true if Settings.gitlab['impersonation_enabled'].nil?
 Settings.gitlab['usage_ping_enabled'] = true if Settings.gitlab['usage_ping_enabled'].nil?
 Settings.gitlab['max_request_duration_seconds'] ||= 57
-
-Settings.gitlab['display_initial_root_password'] = true if Settings.gitlab['display_initial_root_password'].nil?
+Settings.gitlab['display_initial_root_password'] = false if Settings.gitlab['display_initial_root_password'].nil?
 
 Gitlab.ee do
   Settings.gitlab['mirror_max_delay'] ||= 300

db/fixtures/production/002_admin.rb

@@ -26,7 +26,7 @@
     if ::Settings.gitlab['display_initial_root_password']
       puts "password: #{user_args[:password]}".color(:green)
     else
-      puts "password: *** - You opted not to display initial root password to STDOUT."
+      puts "password: ******".color(:green)
     end
   else
     puts "password: You'll be prompted to create one on your first visit.".color(:green)