Tighten permissions for PXE directories

Make the HTTP directory not world readable by default.
Images may contain secrets, so regular users should not read them.

Add nginx and dnsmasq to the ironic group so that they can read ironic
files that are group accessible.

Change-Id: Iaa8585fb48e5db6c0d5063dca0d84c9d2300f0c9

playbooks/roles/bifrost-ironic-install/defaults/main.yml

@@ -11,6 +11,7 @@ fast_track: true
 
 tftp_boot_folder: /tftpboot
 http_boot_folder: /var/lib/ironic/httpboot
+boot_folder_permissions: "0750"
 ironic_tftp_master_path: /var/lib/ironic/master_images
 staging_drivers_include: false
 file_url_port: "8080"

playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml

@@ -102,10 +102,21 @@
 - name: "Create an ironic service group"
   group:
     name: "ironic"
+
 - name: "Create an ironic service user"
   user:
     name: "ironic"
     group: "ironic"
+
+- name: "Add nginx and dnsmasq to the ironic group"
+  user:
+    name: "{{ item }}"
+    groups: "ironic"
+    append: yes
+  loop:
+    - "{{ nginx_user }}"
+    - dnsmasq
+
 - name: "Ensure /etc/ironic exists"
   file:
     name: "/etc/ironic"
@@ -113,6 +124,7 @@
     owner: "ironic"
     group: "ironic"
     mode: 0755
+
 # Note(TheJulia): The rootwrap copies will need to be re-tooled
 # to possibly directly retreive current files if a source install
 # is not utilized.
@@ -261,8 +273,8 @@
   file:
     path: "{{ dnsmasq_additional_hostsdir }}"
     state: directory
-    owner: "root"
-    group: "root"
+    owner: "dnsmasq"
+    group: "ironic"
     mode: 0755
   when: dnsmasq_additional_hostsdir is defined
 
@@ -270,8 +282,8 @@
   file:
     path: "{{ dnsmasq_dhcp_hostsdir }}"
     state: directory
-    owner: "root"
-    group: "root"
+    owner: "dnsmasq"
+    group: "ironic"
     mode: 0755
 
 - name: "Retrieve interface IP informations"
@@ -392,7 +404,7 @@
     state: directory
     mode: 0750
     owner: "ironic"
-    group: "{{ nginx_user }}"
+    group: "ironic"
   loop:
     - "/var/lib/ironic"
     - "/var/lib/ironic/master_images"

playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml

@@ -15,11 +15,27 @@
 ---
 # TODO(TheJulia): The pxelinux folder is statically coded in ironic.
 # For now, we need to use it, but we can patch that.
-- name: "Set up PXE and iPXE folders"
-  file: name={{ item }} owner=ironic group=ironic state=directory mode=0755
+- name: "Set up PXE folders"
+  file:
+    name: "{{ item }}"
+    owner: ironic
+    group: ironic
+    state: directory
+    # FIXME(dtantsur): dnsmasq cannot work if the files are not world readable
+    # or owned by it, I don't understand why.
+    mode: 0755
   loop:
     - "{{ tftp_boot_folder }}"
     - "{{ tftp_boot_folder }}/pxelinux.cfg"
+
+- name: "Set up HTTP folders"
+  file:
+    name: "{{ item }}"
+    owner: ironic
+    group: ironic
+    state: directory
+    mode: "{{ boot_folder_permissions }}"
+  loop:
     - "{{ http_boot_folder }}"
     - "{{ http_boot_folder }}/pxelinux.cfg"
 

playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml

@@ -111,7 +111,7 @@
     dest=/etc/ironic-inspector/inspector.conf
     owner=ironic
     group=ironic
-    mode=0740
+    mode=0640
 - name: "Inspector - Create the log directories (if requested)"
   file:
     name: "{{ item }}"

releasenotes/notes/perm-8b4236c6eddf1f1f.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    The TFTP and HTTP directories are no longer world-readable by default.
+    Set ``boot_folder_permissions`` to override.

scripts/collect-test-info.sh

@@ -82,9 +82,9 @@ sudo journalctl -u uwsgi@keystone-public &> ${LOG_LOCATION}/keystone-public.log
 
 # Copy PXE information
 mkdir -p ${LOG_LOCATION}/pxe/
-ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt
-cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/
-cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/
+sudo ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt
+sudo bash -c "cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/"
+sudo cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/
 
 # Copy baremetal information
 source $HOME/openrc bifrost