Implementing stricter permissions on config files
The security guide suggests that /etc/horizon/local-settings.py should be owned by root and in the horizon group with 0640 permissions. Change-Id: I4a49394cd2afb92e0da1b233e21bad862ddee059
This commit is contained in:
parent
2f5ac684ab
commit
ff47522cb0
@ -58,7 +58,8 @@ horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz
|
|||||||
|
|
||||||
## System info
|
## System info
|
||||||
horizon_system_user_name: horizon
|
horizon_system_user_name: horizon
|
||||||
horizon_system_group_name: www-data
|
horizon_system_group_name: horizon
|
||||||
|
|
||||||
horizon_system_shell: /bin/false
|
horizon_system_shell: /bin/false
|
||||||
horizon_system_comment: horizon system user
|
horizon_system_comment: horizon system user
|
||||||
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"
|
horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"
|
||||||
|
@ -17,11 +17,11 @@
|
|||||||
template:
|
template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: "{{ horizon_system_user_name }}"
|
owner: "{{ item.owner|default(horizon_system_user_name) }}"
|
||||||
group: "{{ horizon_system_group_name }}"
|
group: "{{ horizon_system_group_name }}"
|
||||||
mode: "{{ item.mode }}"
|
mode: "{{ item.mode }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", mode: "0644" }
|
- { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", owner: "root", mode: "0640" }
|
||||||
- { src: "horizon-manage.py.j2", dest: "{{ horizon_bin }}/horizon-manage.py", mode: "0755" }
|
- { src: "horizon-manage.py.j2", dest: "{{ horizon_bin }}/horizon-manage.py", mode: "0755" }
|
||||||
- { src: "80_admin_default_panel.py.j2", dest: "{{ horizon_lib_dir }}/openstack_dashboard/local/enabled/_80_admin_default_panel.py", mode: "0755" }
|
- { src: "80_admin_default_panel.py.j2", dest: "{{ horizon_lib_dir }}/openstack_dashboard/local/enabled/_80_admin_default_panel.py", mode: "0755" }
|
||||||
notify: Restart apache2
|
notify: Restart apache2
|
||||||
|
@ -38,7 +38,7 @@ horizon_apache_site_enabled: "/etc/apache2/sites-enabled/openstack-dashboard.con
|
|||||||
|
|
||||||
horizon_apache_configs:
|
horizon_apache_configs:
|
||||||
- { src: "horizon_apache_ports.conf.j2", dest: "/etc/apache2/ports.conf", owner: "root", group: "root" }
|
- { src: "horizon_apache_ports.conf.j2", dest: "/etc/apache2/ports.conf", owner: "root", group: "root" }
|
||||||
- { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}" }
|
- { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}", owner: "root", group: "root" }
|
||||||
|
|
||||||
horizon_apache_default_sites:
|
horizon_apache_default_sites:
|
||||||
- "/etc/apache2/sites-enabled/000-default.conf"
|
- "/etc/apache2/sites-enabled/000-default.conf"
|
||||||
|
@ -35,7 +35,7 @@ horizon_apache_security_conf: "{{ horizon_apache_conf }}"
|
|||||||
|
|
||||||
horizon_apache_configs:
|
horizon_apache_configs:
|
||||||
- { src: "horizon_apache_ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf", owner: "root", group: "root" }
|
- { src: "horizon_apache_ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf", owner: "root", group: "root" }
|
||||||
- { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf" }
|
- { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf", owner: "root", group: "root" }
|
||||||
|
|
||||||
horizon_apache_default_sites:
|
horizon_apache_default_sites:
|
||||||
- "/etc/httpd/conf.d/userdir.conf"
|
- "/etc/httpd/conf.d/userdir.conf"
|
||||||
|
Loading…
Reference in New Issue
Block a user