commit b56b17dc98a8183a8e64d79b6ed05a850cecc637
author Oleksandr Bryndzii <obryndzii@mirantis.com> Mon Aug 20 20:11:20 2018 +0300
committer obryndzii <obryndzii@mirantis.com> Tue Aug 28 16:16:19 2018 +0000
tree bbbf754d9516335da5ecf9911959217f0e7bf479
parent ad83b3ddbfd952ab3cb67dadf6ba78b230bcaeba

Update cinder config files permissions

The /etc/cinder/*.conf|*.ini files and directories are world readable.
This may lead to sensitive information leakage and cloud compromise.

Set cinder config files permissions to 0640.
Set cinder config files owner and group to root:cinder.

Change-Id: I0f5c2b4df01efdced5d21dd2b1db694413330dea
Related-Prod: PROD-22089, PROD-22091

cinder/controller.sls

diff --git a/cinder/controller.sls b/cinder/controller.sls
index 6ee10e1..e6af812 100644
--- a/cinder/controller.sls
+++ b/cinder/controller.sls
@@ -24,6 +24,9 @@
   file.managed:
   - source: salt://cinder/files/{{ controller.version }}/cinder.conf.controller.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - user: root
+  - group: cinder
   - require:
     - pkg: cinder_controller_packages
   - require_in:
@@ -33,6 +36,8 @@
   file.managed:
   - source: salt://cinder/files/{{ controller.version }}/api-paste.ini.controller.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - group: cinder
   - require:
     - pkg: cinder_controller_packages
   - require_in:
@@ -82,7 +87,8 @@
     - name: /etc/cinder/logging.conf
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
-    - user: cinder
+    - mode: 0640
+    - user: root
     - group: cinder
     - defaults:
         service_name: cinder
@@ -111,7 +117,8 @@
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
     - makedirs: True
-    - user: cinder
+    - mode: 0640
+    - user: root
     - group: cinder
     - defaults:
         service_name: {{ service_name }}
@@ -318,6 +325,8 @@
   - defaults:
       backend: {{ backend|yaml }}
   - template: jinja
+  - mode: 0640
+  - group: cinder
   - require:
     - pkg: cinder_controller_packages
 
@@ -405,5 +414,4 @@
 {%- endif %}
 {%- endif %}
 
-
 {%- endif %}

cinder/volume.sls

diff --git a/cinder/volume.sls b/cinder/volume.sls
index cde53fd..396b03e 100644
--- a/cinder/volume.sls
+++ b/cinder/volume.sls
@@ -56,6 +56,9 @@
   file.managed:
   - source: salt://cinder/files/{{ volume.version }}/cinder.conf.volume.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - user: root
+  - group: cinder
   - require:
     - pkg: cinder_volume_packages
 
@@ -63,6 +66,8 @@
   file.managed:
   - source: salt://cinder/files/{{ volume.version }}/api-paste.ini.volume.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - group: cinder
   - require:
     - pkg: cinder_volume_packages
 
@@ -133,7 +138,8 @@
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
     - makedirs: True
-    - user: cinder
+    - mode: 0640
+    - user: root
     - group: cinder
     - defaults:
         service_name: {{ service_name }}
@@ -184,6 +190,8 @@
   - defaults:
       backend: {{ backend|yaml }}
   - template: jinja
+  - mode: 0640
+  - group: cinder
   - require:
     - pkg: cinder_volume_packages
 
@@ -265,6 +273,8 @@
   file.managed:
   - source: salt://cinder/files/{{ volume.version }}/cinder_fujitsu_eternus_dx.xml
   - template: jinja
+  - mode: 0640
+  - group: cinder
   - defaults:
       backend_name: "{{ backend_name }}"
   - require: