Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / heat / 2187b4a96b6fc057f37f3d3d64a624e26ca290dc^! / .
commit2187b4a96b6fc057f37f3d3d64a624e26ca290dc[log] [tgz]
authorOleksandr Bryndzii <obryndzii@mirantis.com>Mon Aug 27 12:48:27 2018 +0300
committerOleksandr Bryndzii <obryndzii@mirantis.com>Mon Aug 27 19:11:38 2018 +0300
tree2d5982be2853311442449c7e63013a6346be8cfa
parentf1e768e9be5d4f78cf8ff78dffcaefea7da471e1 [diff]
Update heat config files permissions

The /etc/heat/*.conf|*.ini files and directories are world readable.
This may lead to sensitive information leakage and cloud compromise.

Set heat config files and directories permissions to 0640 and 0750 accordingly.
Set heat config files and directories owner and group to root:heat.

Add the correct_file_permissions_heat and correct_dir_permissions_heat states.

Change-Id: I3f003b2f0b3f525ac20d8234eb6efac0cff8b3f3
Related-Prod: https://mirantis.jira.com/browse/PROD-22093

diff --git a/heat/server.sls b/heat/server.sls
index 266d5fb..775d562 100644
--- a/heat/server.sls
+++ b/heat/server.sls

@@ -14,6 +14,8 @@
   file.managed:
   - source: salt://heat/files/{{ server.version }}/heat.conf.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - group: heat
   - require:
     - pkg: heat_server_packages
   - require_in:
@@ -23,6 +25,8 @@
   file.managed:
   - source: salt://heat/files/{{ server.version }}/api-paste.ini
   - template: jinja
+  - mode: 0640
+  - group: heat
   - require:
     - pkg: heat_server_packages
 
@@ -55,7 +59,8 @@
     - name: /etc/heat/logging.conf
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
-    - user: heat
+    - mode: 0640
+    - user: root
     - group: heat
     - defaults:
         service_name: heat
@@ -82,7 +87,8 @@
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
     - makedirs: True
-    - user: heat
+    - mode: 0640
+    - user: root
     - group: heat
     - defaults:
         service_name: {{ service_name }}
@@ -218,4 +224,14 @@
      - file: /etc/heat/heat.conf
 {%- endif %}
 
+correct_file_permissions_heat:
+  cmd.run:
+    - name: find /etc/heat -type f \( \! -perm 640 -o \! -user root -o \! -group heat \) -execdir chmod 640 {} + -execdir chown root:heat {} +
+    - onlyif: find /etc/heat -type f \( \! -perm 640 -o \! -user root -o \! -group heat \) -printf found | grep -q found
+
+correct_dir_permissions_heat:
+  cmd.run:
+    - name: find /etc/heat -type d \( \! -perm 750 -o \! -user root -o \! -group heat \) -execdir chmod 750 {} + -execdir chown root:heat {} +
+    - onlyif: find /etc/heat -type d \( \! -perm 750 -o \! -user root -o \! -group heat \) -printf found | grep -q found
+
 {%- endif %}