Set permissions on user_secrets.yml to 0600

The permissions on the user_secrets file are too open, adjust this so that after using pw-token-gen.py it sets the file to be 0600 for user_secrets.yml and the backup tar file that is created. Additionally, add a note in the README to recommend adjusting the permissions when not utilising the pw-token-gen.py Change-Id: I90ffacd83a89a92f48cf160e5b351e1254e9c73a Closes-Bug: #1461997
2015-06-11 11:21:52 +01:00 · 2015-06-11 11:21:52 +01:00 · 3f8905caee
parent e1862a190b
commit 3f8905caee
2 changed files with 3 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -45,6 +45,7 @@ Notes
 * The lxc network is created within the *lxcbr0* interface. This supports both NAT networks as well as more traditional networking. If NAT is enabled (default) the IPtables rules will be created along with the interface as a post-up processes. If you ever need to recreate the rules and or restart the dnsmask process you can bounce the interface IE: ``ifdown lxcb0; ifup lxcbr0`` or you can use the ``lxc-system-manage`` command.
 * The tool ``lxc-system-manage`` is available on all lxc hosts and can assist in recreating parts of the LXC system whenever its needed.
 * Inventory is generated by executing the ``playbooks/inventory/dynamic_inventory.py`` script. This is configured in the ``playbooks/ansible.cfg`` file.
+* If you don't use the pw-token-gen.py script you will want to ensure the permissions on /etc/openstack_deploy/user_secrets.yml are more secure. ``chmod 0600 /etc/openstack_deploy/user_secrets.yml``


 Bugs and Blueprints
--- a/scripts/pw-token-gen.py
+++ b/scripts/pw-token-gen.py
@ -186,6 +186,7 @@ def main():
        print('Creating backup file [ %s ]' % user_vars_tar_file)
        # Create a tarball if needed
        with tarfile.open(user_vars_tar_file, 'a') as tar:
+            os.chmod(user_vars_tar_file, 0o600)
            basename = os.path.basename(user_vars_file)
            # Time stamp the password file in UTC
            utctime = datetime.datetime.utcnow()
@ -194,6 +195,7 @@ def main():
            tar.add(user_vars_file, arcname=backup_name)

    with open(user_vars_file, 'wb') as f:
+        os.chmod(user_vars_file, 0o600)
        f.write(
            yaml.safe_dump(
                user_vars,