Restrict access to certificate files

The certificate files don't need x bits. Also these files, especially the private key file should have very restricted access. Closes-Bug: #2049203 Change-Id: I3f4cf18b70420a509ad971fea32277a7a9b59dc3
2024-01-12 22:31:17 +09:00 · 2024-01-12 22:31:17 +09:00 · a382404ddd
parent 869993e13a
commit a382404ddd
2 changed files with 9 additions and 9 deletions
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@ -188,7 +188,7 @@ class octavia::certificates (
      content   => $ca_private_key_data,
      group     => $file_permission_owner,
      owner     => $file_permission_group,
-      mode      => '0755',
+      mode      => '0640',
      replace   => true,
      show_diff => false,
      tag       => 'octavia-certificate',
@ -207,7 +207,7 @@ class octavia::certificates (
      content   => $client_ca_data,
      group     => $file_permission_owner,
      owner     => $file_permission_group,
-      mode      => '0755',
+      mode      => '0640',
      replace   => true,
      show_diff => false,
      tag       => 'octavia-certificate',
@ -229,7 +229,7 @@ class octavia::certificates (
      content   => $client_cert_data,
      group     => $file_permission_owner,
      owner     => $file_permission_group,
-      mode      => '0755',
+      mode      => '0640',
      replace   => true,
      show_diff => false,
      tag       => 'octavia-certificate',
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@ -100,7 +100,7 @@ describe 'octavia::certificates' do
          'content'   => 'on_my_authority_this_is_a_certificate',
          'owner'     => 'octavia',
          'group'     => 'octavia',
-          'mode'      => '0755',
+          'mode'      => '0640',
          'replace'   => true,
          'show_diff' => false,
          'tag'       => 'octavia-certificate',
@ -110,7 +110,7 @@ describe 'octavia::certificates' do
          'content'   => 'this_is_my_private_key_woot_woot',
          'owner'     => 'octavia',
          'group'     => 'octavia',
-          'mode'      => '0755',
+          'mode'      => '0640',
          'replace'   => true,
          'show_diff' => false,
          'tag'       => 'octavia-certificate',
@ -120,7 +120,7 @@ describe 'octavia::certificates' do
          'content'   => 'certainly_for_the_client',
          'owner'     => 'octavia',
          'group'     => 'octavia',
-          'mode'      => '0755',
+          'mode'      => '0640',
          'replace'   => true,
          'show_diff' => false,
          'tag'       => 'octavia-certificate',
@ -167,7 +167,7 @@ describe 'octavia::certificates' do
          'content'   => 'on_my_authority_this_is_a_certificate',
          'owner'     => 'octavia',
          'group'     => 'octavia',
-          'mode'      => '0755',
+          'mode'      => '0640',
          'replace'   => true,
          'show_diff' => false,
          'tag'       => 'octavia-certificate',
@ -177,7 +177,7 @@ describe 'octavia::certificates' do
          'content'   => 'this_is_my_private_key_woot_woot',
          'owner'     => 'octavia',
          'group'     => 'octavia',
-          'mode'      => '0755',
+          'mode'      => '0640',
          'replace'   => true,
          'show_diff' => false,
          'tag'       => 'octavia-certificate',
@ -187,7 +187,7 @@ describe 'octavia::certificates' do
          'content'   => 'certainly_for_the_client',
          'owner'     => 'octavia',
          'group'     => 'octavia',
-          'mode'      => '0755',
+          'mode'      => '0640',
          'replace'   => true,
          'show_diff' => false,
          'tag'       => 'octavia-certificate',