opendev/system-config
Code Issues Proposed changes

Tighten permissions on Etherpad settings file

Browse Source 
The file in which our Etherpad settings reside is templated with
sensitive data like an API key and DB password. Remove the world
readable bit from it, and also drop user/group write perms while
we're at it. Also switch the service's effective GID to match its
UID and make sure the config's ownership is set accordingly.

Change-Id: I65b70237b4bc8f4e63aa0b717702c124e01ed777
This commit is contained in:
Jeremy Stanley 2024-05-01 16:26:39 +00:00
parent f6a131ebc0
commit f75191dbd4
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
playbooks/roles/etherpad/tasks/main.yaml
View File

@ -89,6 +89,9 @@
template: template:
src: settings.json.j2 src: settings.json.j2
dest: /etc/etherpad/settings.json dest: /etc/etherpad/settings.json
owner: 5001
group: 5001
mode: '0440'
- name: Clean up from old ep_headings hack - name: Clean up from old ep_headings hack
file: file:

2
zuul.d/docker-images/etherpad.yaml
View File

@ -9,6 +9,8 @@
- context: docker/etherpad - context: docker/etherpad
target: production target: production
repository: opendevorg/etherpad repository: opendevorg/etherpad
build_args:
- EP_GID=5001
files: &etherpad_files files: &etherpad_files
- docker/etherpad/ - docker/etherpad/