Merge "Implementing stricter permissions on config files"

2017-02-08 15:30:31 +00:00 · 2017-02-08 15:30:31 +00:00 · 1ae06d5f3c
commit 1ae06d5f3c
parent 90a39df49c e9cf96f447
3 changed files with 4 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,6 +62,7 @@ releasenotes/build
 # Test temp files
 tests/common
 tests/playbooks
 tests/*.retry
 # Vagrant artifacts
--- a/tasks/cinder_post_install.yml
+++ b/tasks/cinder_post_install.yml
@ -17,9 +17,9 @@
  config_template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    owner: "{{ item.owner|default(cinder_system_user_name) }}"
+    owner: "root"
    group: "{{ item.group|default(cinder_system_group_name) }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items:
@ -33,8 +33,6 @@
      config_type: "ini"
    - src: "rootwrap.conf.j2"
      dest: "/etc/cinder/rootwrap.conf"
      owner: "root"
      group: "root"
      config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
      config_type: "ini"
    - src: "policy.json.j2"
--- a/tasks/cinder_pre_install.yml
+++ b/tasks/cinder_pre_install.yml
@ -40,7 +40,7 @@
    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
    - { path: "/var/cache/cinder", mode: "0700" }
    - { path: "/etc/cinder", mode: "0750" }
-    - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root" }
+    - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
    - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
    - { path: "{{ cinder_system_home_folder }}" }