opendev/system-config
Code Issues Proposed changes

Tighten permissions on zone keys

Browse Source 
Remove world-readable/traversable bits from permissions on the BIND
DNSSEC keys directory and the keys themselves (not actually
necessary for the public key files, but added for consistency as
they share a directory with the private keys). Note that this
matches the permissions and ownership of the existing
adns1.openstack.org server.

Change-Id: I015777ee346fefcaa92e64ad2ee88a41c7ea9bde
This commit is contained in:
Jeremy Stanley 2018-11-14 12:44:09 +00:00
parent 3bb6841b33
commit 6c406f825b
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
playbooks/roles/master-nameserver/tasks/main.yaml
View File

@ -46,17 +46,26 @@
file: file:
path: "/etc/bind/keys/{{ item.name }}" path: "/etc/bind/keys/{{ item.name }}"
state: directory state: directory
owner: root
group: bind
mode: 0750
- name: Install dnssec public keys - name: Install dnssec public keys
loop: "{{ dnssec_keys | dict2items }}" loop: "{{ dnssec_keys | dict2items }}"
copy: copy:
dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.key" dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.key"
content: "{{ item.value.public }}" content: "{{ item.value.public }}"
owner: root
group: bind
mode: 0440
- name: Install dnssec private keys - name: Install dnssec private keys
no_log: true no_log: true
loop: "{{ dnssec_keys | dict2items }}" loop: "{{ dnssec_keys | dict2items }}"
copy: copy:
dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.private" dest: "/etc/bind/keys/{{ item.value.zone }}/K{{ item.value.zone }}.+008+{{ item.key }}.private"
content: "{{ item.value.private }}" content: "{{ item.value.private }}"
owner: root
group: bind
mode: 0440
- name: Install bind config - name: Install bind config
template: template:
src: templates/named.conf.j2 src: templates/named.conf.j2