From e9cf96f4472177b23ce0dce43f7fe87927828776 Mon Sep 17 00:00:00 2001
From: Travis Truman <travis_truman@cable.comcast.com>
Date: Tue, 7 Feb 2017 12:12:31 -0500
Subject: [PATCH] Implementing stricter permissions on config files

The security guide suggests that all OpenStack service config files
should be owned by root and in the service user group with 0640 permissions.

http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-01-is-user-group-ownership-of-config-files-set-to-root-cinder

Change-Id: Ic175909c24bbc1f5a7d8e521d880e1a63afa887b
---
 .gitignore                    | 1 +
 tasks/cinder_post_install.yml | 6 ++----
 tasks/cinder_pre_install.yml  | 2 +-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index b57b99d2..0fe7c0c5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,6 +62,7 @@ releasenotes/build
 
 # Test temp files
 tests/common
+tests/playbooks
 tests/*.retry
 
 # Vagrant artifacts
diff --git a/tasks/cinder_post_install.yml b/tasks/cinder_post_install.yml
index c96f4cc3..ce067959 100644
--- a/tasks/cinder_post_install.yml
+++ b/tasks/cinder_post_install.yml
@@ -17,9 +17,9 @@
   config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ item.owner|default(cinder_system_user_name) }}"
+    owner: "root"
     group: "{{ item.group|default(cinder_system_group_name) }}"
-    mode: "0644"
+    mode: "0640"
     config_overrides: "{{ item.config_overrides }}"
     config_type: "{{ item.config_type }}"
   with_items:
@@ -33,8 +33,6 @@
       config_type: "ini"
     - src: "rootwrap.conf.j2"
       dest: "/etc/cinder/rootwrap.conf"
-      owner: "root"
-      group: "root"
       config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
       config_type: "ini"
     - src: "policy.json.j2"
diff --git a/tasks/cinder_pre_install.yml b/tasks/cinder_pre_install.yml
index 5b1cd95c..77fe75e4 100644
--- a/tasks/cinder_pre_install.yml
+++ b/tasks/cinder_pre_install.yml
@@ -40,7 +40,7 @@
     - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/var/cache/cinder", mode: "0700" }
     - { path: "/etc/cinder", mode: "0750" }
-    - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root" }
+    - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
     - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
     - { path: "{{ cinder_system_home_folder }}" }