Implementing stricter permissions on config files
The security guide suggests that all OpenStack service config files should be owned by root and in the service user group with 0640 permissions. http://docs.openstack.org/security-guide/networking/checklist.html Change-Id: I603eb691828bb3456ae0686ed80342765f52ecea
This commit is contained in:
parent
3d3a2c3e7d
commit
f927760d88
@ -17,9 +17,9 @@
|
||||
config_template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "{{ item.owner|default(neutron_system_user_name) }}"
|
||||
owner: "root"
|
||||
group: "{{ item.group|default(neutron_system_group_name) }}"
|
||||
mode: "0644"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ item.config_overrides }}"
|
||||
config_type: "{{ item.config_type }}"
|
||||
with_items:
|
||||
@ -37,8 +37,6 @@
|
||||
config_type: "ini"
|
||||
- src: "rootwrap.conf.j2"
|
||||
dest: "{{ neutron_conf_dir }}/rootwrap.conf"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
config_overrides: "{{ neutron_rootwrap_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
- src: "policy.json.j2"
|
||||
@ -52,9 +50,9 @@
|
||||
config_template:
|
||||
src: "{{ neutron_plugins[item].plugin_ini }}.j2"
|
||||
dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
|
||||
owner: "{{ neutron_system_user_name }}"
|
||||
owner: "root"
|
||||
group: "{{ neutron_system_group_name }}"
|
||||
mode: "0644"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
with_items: "{{ neutron_plugin_types }}"
|
||||
@ -63,9 +61,9 @@
|
||||
config_template:
|
||||
src: "dnsmasq-neutron.conf.j2"
|
||||
dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
|
||||
owner: "{{ neutron_system_user_name }}"
|
||||
owner: "root"
|
||||
group: "{{ neutron_system_group_name }}"
|
||||
mode: "0644"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}"
|
||||
config_type: "ini"
|
||||
notify:
|
||||
@ -82,9 +80,9 @@
|
||||
config_template:
|
||||
src: "{{ item.value.service_conf }}.j2"
|
||||
dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}"
|
||||
owner: "{{ neutron_system_user_name }}"
|
||||
owner: "root"
|
||||
group: "{{ neutron_system_group_name }}"
|
||||
mode: "0644"
|
||||
mode: "0640"
|
||||
config_overrides: "{{ item.value.config_overrides }}"
|
||||
config_type: "{{ item.value.config_type }}"
|
||||
with_dict: "{{ neutron_services }}"
|
||||
|
@ -39,8 +39,8 @@
|
||||
with_items:
|
||||
- { path: "/openstack", owner: "root", group: "root" }
|
||||
- { path: "{{ neutron_conf_dir }}", mode: "0750" }
|
||||
- { path: "{{ neutron_conf_dir }}/plugins" }
|
||||
- { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" }
|
||||
- { path: "{{ neutron_conf_dir }}/plugins", mode: "0750" }
|
||||
- { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}", mode: "0750" }
|
||||
- { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" }
|
||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
||||
- { path: "/var/cache/neutron" }
|
||||
|
Loading…
Reference in New Issue
Block a user