From f927760d880362b76e8a79d8394e6b54f9b40c48 Mon Sep 17 00:00:00 2001 From: Travis Truman Date: Tue, 7 Feb 2017 14:24:18 -0500 Subject: [PATCH] Implementing stricter permissions on config files The security guide suggests that all OpenStack service config files should be owned by root and in the service user group with 0640 permissions. http://docs.openstack.org/security-guide/networking/checklist.html Change-Id: I603eb691828bb3456ae0686ed80342765f52ecea --- tasks/neutron_post_install.yml | 26 ++++++++++++-------------- tasks/neutron_pre_install.yml | 4 ++-- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/tasks/neutron_post_install.yml b/tasks/neutron_post_install.yml index 0702d3c3..abe0432c 100644 --- a/tasks/neutron_post_install.yml +++ b/tasks/neutron_post_install.yml @@ -17,9 +17,9 @@ config_template: src: "{{ item.src }}" dest: "{{ item.dest }}" - owner: "{{ item.owner|default(neutron_system_user_name) }}" + owner: "root" group: "{{ item.group|default(neutron_system_group_name) }}" - mode: "0644" + mode: "0640" config_overrides: "{{ item.config_overrides }}" config_type: "{{ item.config_type }}" with_items: @@ -37,8 +37,6 @@ config_type: "ini" - src: "rootwrap.conf.j2" dest: "{{ neutron_conf_dir }}/rootwrap.conf" - owner: "root" - group: "root" config_overrides: "{{ neutron_rootwrap_conf_overrides }}" config_type: "ini" - src: "policy.json.j2" @@ -52,9 +50,9 @@ config_template: src: "{{ neutron_plugins[item].plugin_ini }}.j2" dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}" - owner: "{{ neutron_system_user_name }}" + owner: "root" group: "{{ neutron_system_group_name }}" - mode: "0644" + mode: "0640" config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}" config_type: "ini" with_items: "{{ neutron_plugin_types }}" @@ -63,9 +61,9 @@ config_template: src: "dnsmasq-neutron.conf.j2" dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf" - owner: "{{ neutron_system_user_name }}" + owner: "root" group: "{{ neutron_system_group_name }}" - mode: "0644" + mode: "0640" config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}" config_type: "ini" notify: @@ -82,19 +80,19 @@ config_template: src: "{{ item.value.service_conf }}.j2" dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}" - owner: "{{ neutron_system_user_name }}" + owner: "root" group: "{{ neutron_system_group_name }}" - mode: "0644" + mode: "0640" config_overrides: "{{ item.value.config_overrides }}" config_type: "{{ item.value.config_type }}" with_dict: "{{ neutron_services }}" notify: - Restart neutron services when: - - item.value.service_en | bool - - item.value.service_conf_path is defined - - item.value.service_conf is defined - - item.value.group in group_names + - item.value.service_en | bool + - item.value.service_conf_path is defined + - item.value.service_conf is defined + - item.value.group in group_names - name: Copy neutron rootwrap filters copy: diff --git a/tasks/neutron_pre_install.yml b/tasks/neutron_pre_install.yml index 7c730cf7..59fd87fb 100644 --- a/tasks/neutron_pre_install.yml +++ b/tasks/neutron_pre_install.yml @@ -39,8 +39,8 @@ with_items: - { path: "/openstack", owner: "root", group: "root" } - { path: "{{ neutron_conf_dir }}", mode: "0750" } - - { path: "{{ neutron_conf_dir }}/plugins" } - - { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" } + - { path: "{{ neutron_conf_dir }}/plugins", mode: "0750" } + - { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}", mode: "0750" } - { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" } - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } - { path: "/var/cache/neutron" }