commit be5d5552f5ba2d9102faf5a3538fa1bcdb1fc12f
author Dzmitry Stremkouski <dstremkouski@mirantis.com> Thu Aug 09 16:51:55 2018 +0200
committer Dzmitry Stremkouski <dstremkouski@mirantis.com> Thu Aug 09 16:54:42 2018 +0200
tree f79d901f83a2b621109af5b57e2a470c14c51872
parent ff1730eca224ff6ce70131e334a84c01931a771b

Secure salt minion files.

By default salt minion meta files are created with wide
permissions.

This makes OS tokens, keystone credentials unprotected.

Patch fixes this.

Prod-Related: CEEMCP-13 unprotected keystone credentials
Customer-Found

Change-Id: I18283cff4aec795e0656b7b3519381792e8a6e54

salt/files/userdata

diff --git a/salt/files/userdata b/salt/files/userdata
index ac3a286..2291c88 100644
--- a/salt/files/userdata
+++ b/salt/files/userdata
@@ -6,4 +6,6 @@
 sh install_salt.sh
 echo "id: {{ node_name }}.{{ cluster.domain }}" > /etc/salt/minion.d/minion.conf
 echo "master: salt/master: {{ cluster.config.host }}" >> /etc/salt/minion.d/minion.conf
-service salt-minion restart
\ No newline at end of file
+chown root:root /etc/salt/minion.d/minion.conf
+chmod 0600 /etc/salt/minion.d/minion.conf
+service salt-minion restart

salt/master/minion.sls

diff --git a/salt/master/minion.sls b/salt/master/minion.sls
index eab2509..0b40c05 100644
--- a/salt/master/minion.sls
+++ b/salt/master/minion.sls
@@ -8,6 +8,8 @@
   file.managed:
   - source: salt://salt/files/_orchestration.conf
   - user: root
+  - group: root
+  - mode: 600
   - template: jinja
   - makedirs: true
   - require:

salt/minion/base.sls

diff --git a/salt/minion/base.sls b/salt/minion/base.sls
index 62a1748..a9b1714 100644
--- a/salt/minion/base.sls
+++ b/salt/minion/base.sls
@@ -32,6 +32,7 @@
   - source: salt://salt/files/minion.conf
   - user: root
   - group: root
+  - mode: 600
   - template: jinja
   - require:
     - {{ minion.install_state }}
@@ -42,6 +43,8 @@
   file.managed:
   - source: salt://salt/files/_renderer.conf
   - user: root
+  - group: root
+  - mode: 600
   - template: jinja
   - require:
     - {{ minion.install_state }}

salt/minion/service.sls

diff --git a/salt/minion/service.sls b/salt/minion/service.sls
index 6dbe75a..436b27c 100644
--- a/salt/minion/service.sls
+++ b/salt/minion/service.sls
@@ -31,6 +31,7 @@
   - source: salt://salt/files/minion.conf
   - user: root
   - group: root
+  - mode: 600
   - template: jinja
   - require:
     - {{ minion.install_state }}
@@ -45,6 +46,9 @@
 salt_minion_config_{{ service_name }}_{{ name }}:
   file.managed:
     - name: /etc/salt/minion.d/_{{ name }}.conf
+    - user: root
+    - group: root
+    - mode: 600
     - contents: |
         {{ conf|yaml(False)|indent(8) }}
     - require:
@@ -99,6 +103,8 @@
   file.managed:
   - source: salt://salt/files/_renderer.conf
   - user: root
+  - group: root
+  - mode: 600
   - template: jinja
   - require:
     - {{ minion.install_state }}