From 72936c538fd062872934dafb95f69178af911c42 Mon Sep 17 00:00:00 2001 From: Denys Havrysh Date: Tue, 28 Nov 2017 15:32:05 +0200 Subject: [PATCH] Secure filesystem permissions for config file and data dir --- consul/config.sls | 21 +++++++++++---------- consul/install.sls | 11 +++++++---- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/consul/config.sls b/consul/config.sls index 812287a..44c39c9 100644 --- a/consul/config.sls +++ b/consul/config.sls @@ -1,18 +1,19 @@ -{% from slspath + "/map.jinja" import consul with context %} +{%- from slspath + '/map.jinja' import consul with context -%} consul-config: file.serialize: - name: /etc/consul.d/config.json - {% if consul.service != False %} - - watch_in: - - service: consul - {% endif %} - - user: consul - - group: consul - - require: - - user: consul - formatter: json - dataset: {{ consul.config }} + - user: {{ consul.user }} + - group: {{ consul.group }} + - mode: 0640 + - require: + - user: consul-user + {%- if consul.service %} + - watch_in: + - service: consul + {%- endif %} {% for script in consul.scripts %} consul-script-install-{{ loop.index }}: @@ -36,7 +37,7 @@ consul-script-config: - user: {{ consul.user }} - group: {{ consul.group }} - require: - - user: consul + - user: consul-user - formatter: json - dataset: services: {{ consul.register }} diff --git a/consul/install.sls b/consul/install.sls index c608ca0..e89856e 100644 --- a/consul/install.sls +++ b/consul/install.sls @@ -1,4 +1,4 @@ -{% from slspath+"/map.jinja" import consul with context %} +{%- from slspath + '/map.jinja' import consul with context -%} consul-dep-unzip: pkg.installed: @@ -17,7 +17,8 @@ consul-group: consul-user: user.present: - name: {{ consul.user }} - - gid: {{ consul.group }} + - groups: + - {{ consul.group }} - createhome: False - system: True - require: @@ -29,13 +30,15 @@ consul-config-dir: - name: /etc/consul.d - user: {{ consul.user }} - group: {{ consul.group }} + - mode: 0750 consul-data-dir: file.directory: - name: {{ consul.config.data_dir }} - - user: consul - - group: consul - makedirs: True + - user: {{ consul.user }} + - group: {{ consul.group }} + - mode: 0750 # Install agent consul-download: