commit c68a68ef0f81d7de7944f6491de21262e626b33e
author Oleksandr Bryndzii <obryndzii@mirantis.com> Wed Aug 29 13:51:05 2018 +0300
committer Oleksandr Bryndzii <obryndzii@mirantis.com> Wed Aug 29 13:52:41 2018 +0300
tree 99937cc9ff947921e535ff19c2f97e0c75e7c9c4
parent 3f2bc3d61fc104ec4f49c34cf101b15f423eb6a7

Update designate config files permissions

The /etc/designate/*.conf|*.yaml files are world readable.
This may lead to sensitive information leakage and cloud compromise.

Set designate config files permissions to 0640.
Set designate config files owner and group to root:designate.

Change-Id: If81d1bdb4caa29a642f00f6ee2b113f684f80504

designate/server.sls

diff --git a/designate/server.sls b/designate/server.sls
index fed7379..1a756c1 100644
--- a/designate/server.sls
+++ b/designate/server.sls
@@ -19,6 +19,8 @@
   file.managed:
     - source: salt://designate/files/rndc.key
     - template: jinja
+    - mode: 0640
+    - group: designate
     - require:
       - pkg: designate_server_packages
 
@@ -56,7 +58,8 @@
     - name: /etc/designate/logging.conf
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
-    - user: designate
+    - mode: 0640
+    - user: root
     - group: designate
     - defaults:
         service_name: designate
@@ -83,7 +86,8 @@
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
     - makedirs: True
-    - user: designate
+    - mode: 0640
+    - user: root
     - group: designate
     - defaults:
         service_name: {{ service_name }}
@@ -108,6 +112,8 @@
   file.managed:
   - source: salt://designate/files/{{ server.version }}/designate.conf.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - group: designate
   - require:
     - pkg: designate_server_packages
   - require_in:
@@ -117,6 +123,8 @@
   file.managed:
   - source: salt://designate/files/{{ server.version }}/api-paste.ini
   - template: jinja
+  - mode: 0640
+  - group: designate
   - require:
     - pkg: designate_server_packages
   - require_in:
@@ -156,6 +164,8 @@
   file.managed:
   - source: salt://designate/files/{{ server.version }}/pools.yaml
   - template: jinja
+  - mode: 0640
+  - group: designate
   - require:
     - pkg: designate_server_packages
 

designate/worker.sls

diff --git a/designate/worker.sls b/designate/worker.sls
index fb3f91c..b1f52b6 100644
--- a/designate/worker.sls
+++ b/designate/worker.sls
@@ -42,7 +42,8 @@
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
     - makedirs: True
-    - user: designate
+    - mode: 0640
+    - user: root
     - group: designate
     - defaults:
         service_name: {{ service_name }}