From 76e1ac5e8c6f700025a849f10c555cdd686f822d Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 12 Jan 2024 22:31:17 +0900 Subject: [PATCH] Restrict access to certificate files The certificate files don't need x bits. Also these files, especially the private key file should have very restricted access. Closes-Bug: #2049203 Change-Id: I3f4cf18b70420a509ad971fea32277a7a9b59dc3 --- manifests/certificates.pp | 8 ++++---- spec/classes/octavia_certificates_spec.rb | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/manifests/certificates.pp b/manifests/certificates.pp index c1520851..58675431 100644 --- a/manifests/certificates.pp +++ b/manifests/certificates.pp @@ -166,7 +166,7 @@ class octavia::certificates ( content => $ca_certificate_data, group => $file_permission_owner, owner => $file_permission_group, - mode => '0755', + mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', @@ -188,7 +188,7 @@ class octavia::certificates ( content => $ca_private_key_data, group => $file_permission_owner, owner => $file_permission_group, - mode => '0755', + mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', @@ -207,7 +207,7 @@ class octavia::certificates ( content => $client_ca_data, group => $file_permission_owner, owner => $file_permission_group, - mode => '0755', + mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', @@ -229,7 +229,7 @@ class octavia::certificates ( content => $client_cert_data, group => $file_permission_owner, owner => $file_permission_group, - mode => '0755', + mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb index 5035c63d..f9bc0ccf 100644 --- a/spec/classes/octavia_certificates_spec.rb +++ b/spec/classes/octavia_certificates_spec.rb @@ -100,7 +100,7 @@ describe 'octavia::certificates' do 'content' => 'on_my_authority_this_is_a_certificate', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate', @@ -110,7 +110,7 @@ describe 'octavia::certificates' do 'content' => 'this_is_my_private_key_woot_woot', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate', @@ -120,7 +120,7 @@ describe 'octavia::certificates' do 'content' => 'certainly_for_the_client', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate', @@ -167,7 +167,7 @@ describe 'octavia::certificates' do 'content' => 'on_my_authority_this_is_a_certificate', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate', @@ -177,7 +177,7 @@ describe 'octavia::certificates' do 'content' => 'this_is_my_private_key_woot_woot', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate', @@ -187,7 +187,7 @@ describe 'octavia::certificates' do 'content' => 'certainly_for_the_client', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate', @@ -308,7 +308,7 @@ describe 'octavia::certificates' do 'content' => 'my_ca_certificate', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate', @@ -318,7 +318,7 @@ describe 'octavia::certificates' do 'content' => 'my_client_ca', 'owner' => 'octavia', 'group' => 'octavia', - 'mode' => '0755', + 'mode' => '0640', 'replace' => true, 'show_diff' => false, 'tag' => 'octavia-certificate',