Implementing stricter permissions on config files

The security guide suggests that all OpenStack service config files
should be owned by root and in the service user group with 0640 permissions.

http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-01-is-user-group-ownership-of-config-files-set-to-root-cinder

Change-Id: Ic175909c24bbc1f5a7d8e521d880e1a63afa887b
This commit is contained in:
Travis Truman 2017-02-07 12:12:31 -05:00
parent 04a84400bb
commit e9cf96f447
3 changed files with 4 additions and 5 deletions

1
.gitignore vendored
View File

@ -62,6 +62,7 @@ releasenotes/build
# Test temp files
tests/common
tests/playbooks
tests/*.retry
# Vagrant artifacts

View File

@ -17,9 +17,9 @@
config_template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner|default(cinder_system_user_name) }}"
owner: "root"
group: "{{ item.group|default(cinder_system_group_name) }}"
mode: "0644"
mode: "0640"
config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}"
with_items:
@ -33,8 +33,6 @@
config_type: "ini"
- src: "rootwrap.conf.j2"
dest: "/etc/cinder/rootwrap.conf"
owner: "root"
group: "root"
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
config_type: "ini"
- src: "policy.json.j2"

View File

@ -40,7 +40,7 @@
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
- { path: "/var/cache/cinder", mode: "0700" }
- { path: "/etc/cinder", mode: "0750" }
- { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root" }
- { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
- { path: "{{ cinder_system_home_folder }}" }