Implementing stricter permissions on config files

The security guide suggests that service config files should be owned by root and in the service user group with 0640 permissions. Change-Id: Ieed27e44ee102cbad1585926bc5604a52a1ce060
2017-02-08 09:24:49 -05:00 · 2017-02-08 09:24:49 -05:00 · a690884608
commit a690884608
parent 3dcf3b5da7
1 changed files with 2 additions and 4 deletions
--- a/tasks/nova_post_install.yml
+++ b/tasks/nova_post_install.yml
@ -29,9 +29,9 @@
  config_template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    owner: "{{ item.owner|default(nova_system_user_name) }}"
+    owner: "root"
    group: "{{ item.group|default(nova_system_group_name) }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items:
@ -41,8 +41,6 @@
      config_type: "ini"
    - src: "rootwrap.conf.j2"
      dest: "/etc/nova/rootwrap.conf"
-      owner: "root"
-      group: "root"
      config_overrides: "{{ nova_rootwrap_conf_overrides }}"
      config_type: "ini"
    - src: "api-paste.ini.j2"