Skip to content

Restrict configuration file permissions #343

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 6, 2024
Merged

Restrict configuration file permissions #343

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
(maint) Restrict file permissions 
PuppetDB runs as the puppetdb user.  This user must have read access to
the various configuration files but does not need write access to them.

This ensure the service configuration cannot be unexpectedly changed by
PuppetDB itself if some vulnerability allow random code execution,
limiting the possibilities of exploitation and pivoting if such a
vulnerability is found.
  • Loading branch information
@smortex @h0tw1r3
smortex authored and h0tw1r3 committed Feb 7, 2022
commit 36a8cd83f29d9f032d0b1cf04bff1f00b0fc52ed
24 changes: 10 additions & 14 deletions manifests/server.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -478,7 +478,6 @@
conn_max_age => $conn_max_age,
conn_lifetime => $conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
migrate => $migrate,
notify => Service[$puppetdb_service],
Expand Down Expand Up @@ -510,7 +509,6 @@
conn_max_age => $read_conn_max_age,
conn_lifetime => $read_conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
database_max_pool_size => $read_database_max_pool_size,
Expand All @@ -520,29 +518,29 @@
file {
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0700';
mode => '0755';
$ssl_key_path:
ensure => file,
content => $ssl_key,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
notify => Service[$puppetdb_service];
$ssl_cert_path:
ensure => file,
content => $ssl_cert,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0644',
notify => Service[$puppetdb_service];
$ssl_ca_cert_path:
ensure => file,
content => $ssl_ca_cert,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0644',
notify => Service[$puppetdb_service];
}
}
Expand All @@ -560,9 +558,9 @@

file { $ssl_key_pk8_path:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
notify => Service[$puppetdb_service],
}
}
Expand All @@ -583,7 +581,6 @@
confdir => $confdir,
max_threads => $max_threads,
notify => Service[$puppetdb_service],
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
}

Expand All @@ -592,7 +589,6 @@
certificate_whitelist => $certificate_whitelist,
disable_update_checking => $disable_update_checking,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
}
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/database.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
$conn_max_age = $puppetdb::params::conn_max_age,
$conn_lifetime = $puppetdb::params::conn_lifetime,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$database_max_pool_size = $puppetdb::params::database_max_pool_size,
$migrate = $puppetdb::params::migrate,
Expand Down Expand Up @@ -50,9 +49,9 @@

file { $database_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

$file_require = File[$database_ini]
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/jetty.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,15 @@
Optional[String] $cipher_suites = $puppetdb::params::cipher_suites,
$confdir = $puppetdb::params::confdir,
$max_threads = $puppetdb::params::max_threads,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {
$jetty_ini = "${confdir}/jetty.ini"

file { $jetty_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

# Set the defaults
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/puppetdb.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,15 @@
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
$disable_update_checking = $puppetdb::params::disable_update_checking,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {
$puppetdb_ini = "${confdir}/puppetdb.ini"

file { $puppetdb_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

# Set the defaults
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/read_database.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
$conn_max_age = $puppetdb::params::read_conn_max_age,
$conn_lifetime = $puppetdb::params::read_conn_lifetime,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
Expand Down Expand Up @@ -44,9 +43,9 @@

file { $read_database_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

$file_require = File[$read_database_ini]
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/database_ini_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file("#{pdbconfdir}/database.ini")
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/jetty_ini_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file("#{pdbconfdir}/jetty.ini")
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/puppetdb_ini_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini')
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/read_database_ini_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini')
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,9 +210,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/ssl/private.pk8')
.with(
ensure: 'file',
owner: 'puppetdb',
owner: 'root',
group: 'puppetdb',
mode: '0600',
mode: '0640',
)
end
end
Expand Down