Implementing stricter permissions on config files

The security guide suggests that /etc/horizon/local-settings.py
should be owned by root and in the horizon group with 0640 permissions.

Change-Id: I4a49394cd2afb92e0da1b233e21bad862ddee059
This commit is contained in:
Travis Truman 2017-02-06 16:14:09 -05:00
parent 2f5ac684ab
commit ff47522cb0
4 changed files with 6 additions and 5 deletions

View File

@ -58,7 +58,8 @@ horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz
## System info ## System info
horizon_system_user_name: horizon horizon_system_user_name: horizon
horizon_system_group_name: www-data horizon_system_group_name: horizon
horizon_system_shell: /bin/false horizon_system_shell: /bin/false
horizon_system_comment: horizon system user horizon_system_comment: horizon system user
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}" horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"

View File

@ -17,11 +17,11 @@
template: template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: "{{ horizon_system_user_name }}" owner: "{{ item.owner|default(horizon_system_user_name) }}"
group: "{{ horizon_system_group_name }}" group: "{{ horizon_system_group_name }}"
mode: "{{ item.mode }}" mode: "{{ item.mode }}"
with_items: with_items:
- { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", mode: "0644" } - { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", owner: "root", mode: "0640" }
- { src: "horizon-manage.py.j2", dest: "{{ horizon_bin }}/horizon-manage.py", mode: "0755" } - { src: "horizon-manage.py.j2", dest: "{{ horizon_bin }}/horizon-manage.py", mode: "0755" }
- { src: "80_admin_default_panel.py.j2", dest: "{{ horizon_lib_dir }}/openstack_dashboard/local/enabled/_80_admin_default_panel.py", mode: "0755" } - { src: "80_admin_default_panel.py.j2", dest: "{{ horizon_lib_dir }}/openstack_dashboard/local/enabled/_80_admin_default_panel.py", mode: "0755" }
notify: Restart apache2 notify: Restart apache2

View File

@ -38,7 +38,7 @@ horizon_apache_site_enabled: "/etc/apache2/sites-enabled/openstack-dashboard.con
horizon_apache_configs: horizon_apache_configs:
- { src: "horizon_apache_ports.conf.j2", dest: "/etc/apache2/ports.conf", owner: "root", group: "root" } - { src: "horizon_apache_ports.conf.j2", dest: "/etc/apache2/ports.conf", owner: "root", group: "root" }
- { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}" } - { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}", owner: "root", group: "root" }
horizon_apache_default_sites: horizon_apache_default_sites:
- "/etc/apache2/sites-enabled/000-default.conf" - "/etc/apache2/sites-enabled/000-default.conf"

View File

@ -35,7 +35,7 @@ horizon_apache_security_conf: "{{ horizon_apache_conf }}"
horizon_apache_configs: horizon_apache_configs:
- { src: "horizon_apache_ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf", owner: "root", group: "root" } - { src: "horizon_apache_ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf", owner: "root", group: "root" }
- { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf" } - { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf", owner: "root", group: "root" }
horizon_apache_default_sites: horizon_apache_default_sites:
- "/etc/httpd/conf.d/userdir.conf" - "/etc/httpd/conf.d/userdir.conf"