[MediaWiki-commits] [Gerrit] sslcert: add /etc/ssl/private, set mode to 0711 - change (operations/puppet)

Mon, 21 Sep 2015 03:39:35 -0700 

Faidon Liambotis has submitted this change and it was merged.

Change subject: sslcert: add /etc/ssl/private, set mode to 0711
......................................................................


sslcert: add /etc/ssl/private, set mode to 0711

Define File['/etc/ssl/private'] and set its mode to 0711. This
effectively adds o+x to it, so that we can have keypairs with a
different group than ssl-cert, something that is already supported by
::certificate. This allows a more granular approach than the
all-or-nothing of adding certain system users (like Debian-exim) to the
ssl-cert group.

Change-Id: Ief43aeebb22a062f8a47cfdb5af42d493ef33e7c
---
M modules/sslcert/manifests/init.pp
1 file changed, 10 insertions(+), 0 deletions(-)

Approvals:
  Filippo Giunchedi: Looks good to me, but someone else must approve
  Alexandros Kosiaris: Looks good to me, but someone else must approve
  Faidon Liambotis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/sslcert/manifests/init.pp 
b/modules/sslcert/manifests/init.pp
index cc144ad..dc790e3 100644
--- a/modules/sslcert/manifests/init.pp
+++ b/modules/sslcert/manifests/init.pp
@@ -30,6 +30,16 @@
         require => Package['ssl-cert'],
     }
 
+    # default permissions are 0710 which is overly restrictive; we support
+    # setting $group to allow other groups to access certain keypairs
+    file { '/etc/ssl/private':
+        ensure  => directory,
+        owner   => 'root',
+        group   => 'ssl-cert',
+        mode    => '0711',
+        require => Package['ssl-cert'],
+    }
+
     # generic script for fetching the OCSP file for a given cert
     file { '/usr/local/sbin/update-ocsp':
         mode   => '0555',

-- 
To view, visit https://gerrit.wikimedia.org/r/239801
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ief43aeebb22a062f8a47cfdb5af42d493ef33e7c
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: BBlack <bbl...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to