Implementing stricter permissions on config files
The security guide suggests that all OpenStack service config files should be owned by root and in the service user group with 0640 permissions. http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-01-is-user-group-ownership-of-config-files-set-to-root-cinder Change-Id: Ic175909c24bbc1f5a7d8e521d880e1a63afa887b
This commit is contained in:
parent
04a84400bb
commit
e9cf96f447
1
.gitignore
vendored
1
.gitignore
vendored
@ -62,6 +62,7 @@ releasenotes/build
|
|||||||
|
|
||||||
# Test temp files
|
# Test temp files
|
||||||
tests/common
|
tests/common
|
||||||
|
tests/playbooks
|
||||||
tests/*.retry
|
tests/*.retry
|
||||||
|
|
||||||
# Vagrant artifacts
|
# Vagrant artifacts
|
||||||
|
@ -17,9 +17,9 @@
|
|||||||
config_template:
|
config_template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: "{{ item.owner|default(cinder_system_user_name) }}"
|
owner: "root"
|
||||||
group: "{{ item.group|default(cinder_system_group_name) }}"
|
group: "{{ item.group|default(cinder_system_group_name) }}"
|
||||||
mode: "0644"
|
mode: "0640"
|
||||||
config_overrides: "{{ item.config_overrides }}"
|
config_overrides: "{{ item.config_overrides }}"
|
||||||
config_type: "{{ item.config_type }}"
|
config_type: "{{ item.config_type }}"
|
||||||
with_items:
|
with_items:
|
||||||
@ -33,8 +33,6 @@
|
|||||||
config_type: "ini"
|
config_type: "ini"
|
||||||
- src: "rootwrap.conf.j2"
|
- src: "rootwrap.conf.j2"
|
||||||
dest: "/etc/cinder/rootwrap.conf"
|
dest: "/etc/cinder/rootwrap.conf"
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
|
config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
|
||||||
config_type: "ini"
|
config_type: "ini"
|
||||||
- src: "policy.json.j2"
|
- src: "policy.json.j2"
|
||||||
|
@ -40,7 +40,7 @@
|
|||||||
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
||||||
- { path: "/var/cache/cinder", mode: "0700" }
|
- { path: "/var/cache/cinder", mode: "0700" }
|
||||||
- { path: "/etc/cinder", mode: "0750" }
|
- { path: "/etc/cinder", mode: "0750" }
|
||||||
- { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root" }
|
- { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
|
||||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
||||||
- { path: "{{ cinder_system_home_folder }}" }
|
- { path: "{{ cinder_system_home_folder }}" }
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user