Skip to content

Commit

Permalink
Merge pull request #343 from smortex/security-file-permissions
Browse files Browse the repository at this point in the history 
Restrict configuration file permissions
  • Loading branch information
@bastelfreak
bastelfreak authored May 6, 2024
2 parents 3afd693 + 36a8cd8 commit 1475311
Show file tree
Hide file tree
Showing 10 changed files with 28 additions and 36 deletions.
24 changes: 10 additions & 14 deletions manifests/server.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -478,7 +478,6 @@
conn_max_age => $conn_max_age,
conn_lifetime => $conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
migrate => $migrate,
notify => Service[$puppetdb_service],
Expand Down Expand Up @@ -510,7 +509,6 @@
conn_max_age => $read_conn_max_age,
conn_lifetime => $read_conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
database_max_pool_size => $read_database_max_pool_size,
Expand All @@ -520,29 +518,29 @@
file {
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0700';
mode => '0755';
$ssl_key_path:
ensure => file,
content => $ssl_key,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
notify => Service[$puppetdb_service];
$ssl_cert_path:
ensure => file,
content => $ssl_cert,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0644',
notify => Service[$puppetdb_service];
$ssl_ca_cert_path:
ensure => file,
content => $ssl_ca_cert,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0644',
notify => Service[$puppetdb_service];
}
}
Expand All @@ -560,9 +558,9 @@

file { $ssl_key_pk8_path:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
notify => Service[$puppetdb_service],
}
}
Expand All @@ -583,7 +581,6 @@
confdir => $confdir,
max_threads => $max_threads,
notify => Service[$puppetdb_service],
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
}

Expand All @@ -592,7 +589,6 @@
certificate_whitelist => $certificate_whitelist,
disable_update_checking => $disable_update_checking,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
}
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/database.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
$conn_max_age = $puppetdb::params::conn_max_age,
$conn_lifetime = $puppetdb::params::conn_lifetime,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$database_max_pool_size = $puppetdb::params::database_max_pool_size,
$migrate = $puppetdb::params::migrate,
Expand Down Expand Up @@ -50,9 +49,9 @@

file { $database_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

$file_require = File[$database_ini]
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/jetty.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,15 @@
Optional[String] $cipher_suites = $puppetdb::params::cipher_suites,
$confdir = $puppetdb::params::confdir,
$max_threads = $puppetdb::params::max_threads,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {
$jetty_ini = "${confdir}/jetty.ini"

file { $jetty_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

# Set the defaults
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/puppetdb.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,15 @@
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
$disable_update_checking = $puppetdb::params::disable_update_checking,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {
$puppetdb_ini = "${confdir}/puppetdb.ini"

file { $puppetdb_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

# Set the defaults
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/read_database.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
$conn_max_age = $puppetdb::params::read_conn_max_age,
$conn_lifetime = $puppetdb::params::read_conn_lifetime,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
Expand Down Expand Up @@ -44,9 +43,9 @@

file { $read_database_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

$file_require = File[$read_database_ini]
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/database_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file("#{pdbconfdir}/database.ini")
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/jetty_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file("#{pdbconfdir}/jetty.ini")
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/puppetdb_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini')
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/read_database_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini')
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,9 +210,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/ssl/private.pk8')
.with(
ensure: 'file',
owner: 'puppetdb',
owner: 'root',
group: 'puppetdb',
mode: '0600',
mode: '0640',
)
end
end
Expand Down

0 comments on commit 1475311

Please sign in to comment.