Implementing stricter permissions on config files

The security guide suggests that /etc/horizon/local-settings.py should be owned by root and in the horizon group with 0640 permissions. Change-Id: I4a49394cd2afb92e0da1b233e21bad862ddee059 (cherry picked from commit ff47522cb0)
2017-02-06 16:14:09 -05:00 · 2017-02-06 16:14:09 -05:00 · 44c68f5ebf
commit 44c68f5ebf
parent 36afe83c82
4 changed files with 6 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -58,7 +58,8 @@ horizon_venv_download_url: http://127.0.0.1/venvs/untagged/ubuntu/horizon.tgz

 ## System info
 horizon_system_user_name: horizon
-horizon_system_group_name: www-data
+horizon_system_group_name: horizon
+
 horizon_system_shell: /bin/false
 horizon_system_comment: horizon system user
 horizon_system_user_home: "/var/lib/{{ horizon_system_user_name }}"
--- a/tasks/horizon_post_install.yml
+++ b/tasks/horizon_post_install.yml
@ -17,11 +17,11 @@
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    owner: "{{ horizon_system_user_name }}"
+    owner: "{{ item.owner|default(horizon_system_user_name) }}"
    group: "{{ horizon_system_group_name }}"
    mode: "{{ item.mode }}"
  with_items:
-    - { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", mode: "0644" }
+    - { src: "horizon_local_settings.py.j2", dest: "/etc/horizon/local_settings.py", owner: "root", mode: "0640" }
    - { src: "horizon-manage.py.j2", dest: "{{ horizon_bin }}/horizon-manage.py", mode: "0755" }
    - { src: "80_admin_default_panel.py.j2", dest: "{{ horizon_lib_dir }}/openstack_dashboard/local/enabled/_80_admin_default_panel.py", mode: "0755" }
  notify: Restart apache2
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -38,7 +38,7 @@ horizon_apache_site_enabled: "/etc/apache2/sites-enabled/openstack-dashboard.con

 horizon_apache_configs:
  - { src: "horizon_apache_ports.conf.j2", dest: "/etc/apache2/ports.conf", owner: "root", group: "root" }
-  - { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}" }
+  - { src: "openstack_dashboard.conf.j2", dest: "{{ horizon_apache_site_available }}", owner: "root", group: "root" }

 horizon_apache_default_sites:
  - "/etc/apache2/sites-enabled/000-default.conf"
--- a/vars/redhat-7.yml
+++ b/vars/redhat-7.yml
@ -35,7 +35,7 @@ horizon_apache_security_conf: "{{ horizon_apache_conf }}"

 horizon_apache_configs:
  - { src: "horizon_apache_ports.conf.j2", dest: "/etc/httpd/conf.d/ports.conf", owner: "root", group: "root" }
-  - { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf" }
+  - { src: "openstack_dashboard.conf.j2", dest: "/etc/httpd/conf.d/openstack-dashboard.conf", owner: "root", group: "root" }

 horizon_apache_default_sites:
  - "/etc/httpd/conf.d/userdir.conf"