openstack/openstack-ansible-os_neutron
Code Issues Proposed changes

Implementing stricter permissions on config files

Browse Source 
The security guide suggests that all OpenStack service config files
should be owned by root and in the service user group with 0640 permissions.

http://docs.openstack.org/security-guide/networking/checklist.html

Change-Id: I603eb691828bb3456ae0686ed80342765f52ecea
This commit is contained in:
Travis Truman 2017-02-07 14:24:18 -05:00
parent 3d3a2c3e7d
commit f927760d88
2 changed files with 14 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
tasks/neutron_post_install.yml
View File

@ -17,9 +17,9 @@
config_template: config_template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: "{{ item.owner|default(neutron_system_user_name) }}" owner: "root"
group: "{{ item.group|default(neutron_system_group_name) }}" group: "{{ item.group|default(neutron_system_group_name) }}"
mode: "0644" mode: "0640"
config_overrides: "{{ item.config_overrides }}" config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}" config_type: "{{ item.config_type }}"
with_items: with_items:
@ -37,8 +37,6 @@
config_type: "ini" config_type: "ini"
- src: "rootwrap.conf.j2" - src: "rootwrap.conf.j2"
dest: "{{ neutron_conf_dir }}/rootwrap.conf" dest: "{{ neutron_conf_dir }}/rootwrap.conf"
owner: "root"
group: "root"
config_overrides: "{{ neutron_rootwrap_conf_overrides }}" config_overrides: "{{ neutron_rootwrap_conf_overrides }}"
config_type: "ini" config_type: "ini"
- src: "policy.json.j2" - src: "policy.json.j2"
@ -52,9 +50,9 @@
config_template: config_template:
src: "{{ neutron_plugins[item].plugin_ini }}.j2" src: "{{ neutron_plugins[item].plugin_ini }}.j2"
dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}" dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
owner: "{{ neutron_system_user_name }}" owner: "root"
group: "{{ neutron_system_group_name }}" group: "{{ neutron_system_group_name }}"
mode: "0644" mode: "0640"
config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}" config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}"
config_type: "ini" config_type: "ini"
with_items: "{{ neutron_plugin_types }}" with_items: "{{ neutron_plugin_types }}"
@ -63,9 +61,9 @@
config_template: config_template:
src: "dnsmasq-neutron.conf.j2" src: "dnsmasq-neutron.conf.j2"
dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf" dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
owner: "{{ neutron_system_user_name }}" owner: "root"
group: "{{ neutron_system_group_name }}" group: "{{ neutron_system_group_name }}"
mode: "0644" mode: "0640"
config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}" config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}"
config_type: "ini" config_type: "ini"
notify: notify:
@ -82,9 +80,9 @@
config_template: config_template:
src: "{{ item.value.service_conf }}.j2" src: "{{ item.value.service_conf }}.j2"
dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}" dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}"
owner: "{{ neutron_system_user_name }}" owner: "root"
group: "{{ neutron_system_group_name }}" group: "{{ neutron_system_group_name }}"
mode: "0644" mode: "0640"
config_overrides: "{{ item.value.config_overrides }}" config_overrides: "{{ item.value.config_overrides }}"
config_type: "{{ item.value.config_type }}" config_type: "{{ item.value.config_type }}"
with_dict: "{{ neutron_services }}" with_dict: "{{ neutron_services }}"

4
tasks/neutron_pre_install.yml
View File

@ -39,8 +39,8 @@
with_items: with_items:
- { path: "/openstack", owner: "root", group: "root" } - { path: "/openstack", owner: "root", group: "root" }
- { path: "{{ neutron_conf_dir }}", mode: "0750" } - { path: "{{ neutron_conf_dir }}", mode: "0750" }
- { path: "{{ neutron_conf_dir }}/plugins" } - { path: "{{ neutron_conf_dir }}/plugins", mode: "0750" }
- { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" } - { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}", mode: "0750" }
- { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" } - { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" }
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" } - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
- { path: "/var/cache/neutron" } - { path: "/var/cache/neutron" }