From ff47522cb019a8f591c59eeed786c1f5158c0ba4 Mon Sep 17 00:00:00 2001 From: Travis Truman Date: Mon, 6 Feb 2017 16:14:09 -0500 Subject: [PATCH] Implementing stricter permissions on config files The security guide suggests that /etc/horizon/local-settings.py should be owned by root and in the horizon group with 0640 permissions. Change-Id: I4a49394cd2afb92e0da1b233e21bad862ddee059 --- defaults/main.yml | 3 ++- tasks/horizon_post_install.yml | 4 ++-- vars/debian.yml | 2 +- vars/redhat-7.yml | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d5031126..170a36ed 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -58,7 +58,8 @@ horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz ## System info horizon_system_user_name: horizon -horizon_system_group_name: www-data +horizon_system_group_name: horizon + horizon_system_shell: /bin/false horizon_system_comment: horizon system user horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}" diff --git a/tasks/horizon_post_install.yml b/tasks/horizon_post_install.yml index 82d41bf8..0d700227 100644 --- a/tasks/horizon_post_install.yml +++ b/tasks/horizon_post_install.yml @@ -17,11 +17,11 @@ template: src: "{{ item.src }}" dest: "{{ item.dest }}" - owner: "{{ horizon_system_user_name }}" + owner: "{{ item.owner|default(horizon_system_user_name) }}" group: "{{ horizon_system_group_name }}" mode: "{{ item.mode }}" with_items: - - { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", mode: "0644" } + - { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", owner: "root", mode: "0640" } - { src: "horizon-manage.py.j2", dest: "{{ horizon_bin }}/horizon-manage.py", mode: "0755" } - { src: "80_admin_default_panel.py.j2", dest: "{{ horizon_lib_dir }}/openstack_dashboard/local/enabled/_80_admin_default_panel.py", mode: "0755" } notify: Restart apache2 diff --git a/vars/debian.yml b/vars/debian.yml index 64d6aa4c..ba1fa60e 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -38,7 +38,7 @@ horizon_apache_site_enabled: "/etc/apache2/sites-enabled/openstack-dashboard.con horizon_apache_configs: - { src: "horizon_apache_ports.conf.j2", dest: "/etc/apache2/ports.conf", owner: "root", group: "root" } - - { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}" } + - { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}", owner: "root", group: "root" } horizon_apache_default_sites: - "/etc/apache2/sites-enabled/000-default.conf" diff --git a/vars/redhat-7.yml b/vars/redhat-7.yml index 12b212f6..2a36846e 100644 --- a/vars/redhat-7.yml +++ b/vars/redhat-7.yml @@ -35,7 +35,7 @@ horizon_apache_security_conf: "{{ horizon_apache_conf }}" horizon_apache_configs: - { src: "horizon_apache_ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf", owner: "root", group: "root" } - - { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf" } + - { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf", owner: "root", group: "root" } horizon_apache_default_sites: - "/etc/httpd/conf.d/userdir.conf"