From 68f1e2db5154fe6c54fd020714cb0b405b33c3cd Mon Sep 17 00:00:00 2001
From: David Moreau Simard <dms@redhat.com>
Date: Fri, 18 Mar 2016 17:44:44 -0400
Subject: [PATCH] The local_settings file should not be world readable

It might contain sensitive information and as such it's
readability should be restricted.

Change-Id: I9d5605b8e9959796de33fa6cb0d3963bbe3cc0bb
Closes-Bug: rhbz#1217089
---
 manifests/init.pp                                             | 4 +++-
 .../notes/local-settings-permissions-666e7cd5d55cf813.yaml    | 4 ++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/local-settings-permissions-666e7cd5d55cf813.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index bb6374be..d9742a82 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -394,7 +394,9 @@ class horizon(
   }
 
   concat { $::horizon::params::config_file:
-    mode    => '0644',
+    mode    => '0640',
+    owner   => $::horizon::params::wsgi_user,
+    group   => $::horizon::params::wsgi_group,
     require => Package['horizon'],
   }
 
diff --git a/releasenotes/notes/local-settings-permissions-666e7cd5d55cf813.yaml b/releasenotes/notes/local-settings-permissions-666e7cd5d55cf813.yaml
new file mode 100644
index 00000000..4d27de3a
--- /dev/null
+++ b/releasenotes/notes/local-settings-permissions-666e7cd5d55cf813.yaml
@@ -0,0 +1,4 @@
+---
+security:
+  - local_settings file is no longer world readable (from 644 to 640) as it may
+    contain sensitive information.