Implementing stricter permissions on config files

The security guide suggests that all OpenStack service config files should be owned by root and in the service user group with 0640 permissions. Change-Id: I60f8aa7cfb61b15be847fb3d380b0926fb1009dd
2017-02-07 12:36:38 -05:00 · 2017-02-07 12:36:38 -05:00 · 8117a82245
commit 8117a82245
parent 3bf6db5b76
2 changed files with 3 additions and 3 deletions
--- a/tasks/glance_post_install.yml
+++ b/tasks/glance_post_install.yml
@ -17,9 +17,9 @@
  config_template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    owner: "{{ glance_system_user_name }}"
+    owner: "root"
    group: "{{ glance_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items:
--- a/tasks/glance_pre_install.yml
+++ b/tasks/glance_pre_install.yml
@ -38,7 +38,7 @@
    mode: "{{ item.mode|default('0755') }}"
  with_items:
    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
-    - { path: "/etc/glance", mode: "0755" }
+    - { path: "/etc/glance", mode: "0750" }
    - { path: "/var/cache/glance" }
    - { path: "{{ glance_system_user_home }}" }
    - { path: "{{ glance_system_user_home }}/cache/api", mode: "0700" }