[MediaWiki-commits] [Gerrit] operations/puppet[production]: Install config owned by dedicated user

Tue, 09 Aug 2016 11:06:43 -0700 

Eevans has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/303846

Change subject: Install config owned by dedicated user
......................................................................

Install config owned by dedicated user

The current ownership/perms on the restbase config are:

    -r--r--r-- 1 root root 42993 Aug  4 22:46 /etc/restbase/config.yaml

Which allows any user to read the config.  This seems unwise considering
the file contains r/w credentials for Cassandra.

This changeset makes the dedicated service user the file owner, and sets
perms to 0440.

Change-Id: I104e8f70424c6148d70ceb3ca357d8a3c17ac7fc
---
M modules/service/manifests/node.pp
1 file changed, 7 insertions(+), 5 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/46/303846/1

diff --git a/modules/service/manifests/node.pp 
b/modules/service/manifests/node.pp
index f8668cc..170bafe 100644
--- a/modules/service/manifests/node.pp
+++ b/modules/service/manifests/node.pp
@@ -148,6 +148,8 @@
     $deployment_user = 'deploy-service',
     $deployment_config = false,
     $contact_groups  = hiera('contactgroups', 'admins'),
+    $service_user    = $title,
+    $service_group   = $title,
 ) {
     case $deployment {
         'scap3': {
@@ -216,14 +218,14 @@
     require_package('nodejs', 'nodejs-legacy', 'firejail')
 
     # User/group
-    group { $title:
+    group { $service_group:
         ensure => present,
         name   => $title,
         system => true,
         before => Service[$title],
     }
 
-    user { $title:
+    user { $service_user:
         gid    => $title,
         home   => '/nonexistent',
         shell  => '/bin/false',
@@ -261,9 +263,9 @@
         file { "/etc/${title}/config.yaml":
             ensure  => present,
             content => $complete_config,
-            owner   => 'root',
-            group   => 'root',
-            mode    => '0444',
+            owner   => $service_user,
+            group   => $service_group,
+            mode    => '0440',
             tag     => "${title}::config",
         }
     }

-- 
To view, visit https://gerrit.wikimedia.org/r/303846
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I104e8f70424c6148d70ceb3ca357d8a3c17ac7fc
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Eevans <eev...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to