From 7d07f23914f67a9f3ae1a8143c4312fb798d51e4 Mon Sep 17 00:00:00 2001 From: Dan Bode Date: Wed, 20 Mar 2013 15:20:04 -0700 Subject: [PATCH] update permission of paste config to 600 to ensure that any system users cannot read credentials stored in the file. --- manifests/base.pp | 4 +++- spec/classes/cinder_base_spec.rb | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/manifests/base.pp b/manifests/base.pp index e3bbc585..10538c8d 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -37,7 +37,9 @@ class cinder::base ( mode => '0600', } - file { $::cinder::params::cinder_paste_api_ini: } + file { $::cinder::params::cinder_paste_api_ini: + mode => '0600', + } # Temporary fixes file { ['/var/log/cinder', '/var/lib/cinder']: diff --git a/spec/classes/cinder_base_spec.rb b/spec/classes/cinder_base_spec.rb index b1a8d55f..a6c2c86c 100644 --- a/spec/classes/cinder_base_spec.rb +++ b/spec/classes/cinder_base_spec.rb @@ -40,5 +40,13 @@ describe 'cinder::base' do ) end + it { should contain_file('/etc/cinder/cinder.conf').with( + :mode => '0600' + ) } + + it { should contain_file('/etc/cinder/api-paste.ini').with( + :mode => '0600' + ) } + end end