(maint) Restrict file permissions

smortex · smortex · commit 810aa3c99b7b · 2022-02-07T16:35:10.000-10:00
PuppetDB runs as the puppetdb user.  This user must have read access to
the various configuration files but does not need write access to them.

This ensure the service configuration cannot be unexpectedly changed by
PuppetDB itself if some vulnerability allow random code execution,
limiting the possibilities of exploitation and pivoting if such a
vulnerability is found.
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -149,7 +149,6 @@
   class { 'puppetdb::server::global':
     vardir         => $vardir,
     confdir        => $confdir,
-    puppetdb_user  => $puppetdb_user,
     puppetdb_group => $puppetdb_group,
     notify         => Service[$puppetdb_service],
   }
@@ -190,7 +189,6 @@
     conn_keep_alive           => $conn_keep_alive,
     conn_lifetime             => $conn_lifetime,
     confdir                   => $confdir,
-    puppetdb_user             => $puppetdb_user,
     puppetdb_group            => $puppetdb_group,
     migrate                   => $migrate,
     notify                    => Service[$puppetdb_service],
@@ -225,7 +223,6 @@
     conn_keep_alive        => $read_conn_keep_alive,
     conn_lifetime          => $read_conn_lifetime,
     confdir                => $confdir,
-    puppetdb_user          => $puppetdb_user,
     puppetdb_group         => $puppetdb_group,
     notify                 => Service[$puppetdb_service],
     database_max_pool_size => $read_database_max_pool_size,
@@ -235,29 +232,29 @@
     file {
       $ssl_dir:
         ensure => directory,
-        owner  => $puppetdb_user,
+        owner  => 'root',
         group  => $puppetdb_group,
-        mode   => '0700';
+        mode   => '0755';
       $ssl_key_path:
         ensure  => file,
         content => $ssl_key,
-        owner   => $puppetdb_user,
+        owner   => 'root',
         group   => $puppetdb_group,
-        mode    => '0600',
+        mode    => '0640',
         notify  => Service[$puppetdb_service];
       $ssl_cert_path:
         ensure  => file,
         content => $ssl_cert,
-        owner   => $puppetdb_user,
+        owner   => 'root',
         group   => $puppetdb_group,
-        mode    => '0600',
+        mode    => '0644',
         notify  => Service[$puppetdb_service];
       $ssl_ca_cert_path:
         ensure  => file,
         content => $ssl_ca_cert,
-        owner   => $puppetdb_user,
+        owner   => 'root',
         group   => $puppetdb_group,
-        mode    => '0600',
+        mode    => '0644',
         notify  => Service[$puppetdb_service];
     }
   }
@@ -275,9 +272,9 @@
 
     file { $ssl_key_pk8_path:
       ensure => present,
-      owner  => $puppetdb_user,
+      owner  => 'root',
       group  => $puppetdb_group,
-      mode   => '0600',
+      mode   => '0640',
       notify => Service[$puppetdb_service]
     }
   }
@@ -298,7 +295,6 @@
     confdir            => $confdir,
     max_threads        => $max_threads,
     notify             => Service[$puppetdb_service],
-    puppetdb_user      => $puppetdb_user,
     puppetdb_group     => $puppetdb_group,
   }
 
@@ -307,7 +303,6 @@
     certificate_whitelist      => $certificate_whitelist,
     disable_update_checking    => $disable_update_checking,
     confdir                    => $confdir,
-    puppetdb_user              => $puppetdb_user,
     puppetdb_group             => $puppetdb_group,
     notify                     => Service[$puppetdb_service],
   }
diff --git a/manifests/server/database.pp b/manifests/server/database.pp
@@ -21,7 +21,6 @@
   $conn_keep_alive           = $puppetdb::params::conn_keep_alive,
   $conn_lifetime             = $puppetdb::params::conn_lifetime,
   $confdir                   = $puppetdb::params::confdir,
-  $puppetdb_user             = $puppetdb::params::puppetdb_user,
   $puppetdb_group            = $puppetdb::params::puppetdb_group,
   $database_max_pool_size    = $puppetdb::params::database_max_pool_size,
   $migrate                   = $puppetdb::params::migrate,
@@ -54,9 +53,9 @@
 
   file { $database_ini:
     ensure => file,
-    owner  => $puppetdb_user,
+    owner  => 'root',
     group  => $puppetdb_group,
-    mode   => '0600',
+    mode   => '0640',
   }
 
   $file_require = File[$database_ini]
diff --git a/manifests/server/global.pp b/manifests/server/global.pp
@@ -2,17 +2,16 @@
 class puppetdb::server::global (
   $vardir         = $puppetdb::params::vardir,
   $confdir        = $puppetdb::params::confdir,
-  $puppetdb_user  = $puppetdb::params::puppetdb_user,
   $puppetdb_group = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
 
   $config_ini = "${confdir}/config.ini"
 
   file { $config_ini:
     ensure => file,
-    owner  => $puppetdb_user,
+    owner  => 'root',
     group  => $puppetdb_group,
-    mode   => '0600',
+    mode   => '0640',
   }
 
   # Set the defaults
diff --git a/manifests/server/jetty.pp b/manifests/server/jetty.pp
@@ -14,17 +14,16 @@
   Optional[String] $cipher_suites = $puppetdb::params::cipher_suites,
   $confdir                        = $puppetdb::params::confdir,
   $max_threads                    = $puppetdb::params::max_threads,
-  $puppetdb_user                  = $puppetdb::params::puppetdb_user,
   $puppetdb_group                 = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
 
   $jetty_ini = "${confdir}/jetty.ini"
 
   file { $jetty_ini:
     ensure => file,
-    owner  => $puppetdb_user,
+    owner  => 'root',
     group  => $puppetdb_group,
-    mode   => '0600',
+    mode   => '0640',
   }
 
   # Set the defaults
diff --git a/manifests/server/puppetdb.pp b/manifests/server/puppetdb.pp
@@ -4,17 +4,16 @@
   $certificate_whitelist      = $puppetdb::params::certificate_whitelist,
   $disable_update_checking    = $puppetdb::params::disable_update_checking,
   $confdir                    = $puppetdb::params::confdir,
-  $puppetdb_user              = $puppetdb::params::puppetdb_user,
   $puppetdb_group             = $puppetdb::params::puppetdb_group,
 ) inherits puppetdb::params {
 
   $puppetdb_ini = "${confdir}/puppetdb.ini"
 
   file { $puppetdb_ini:
     ensure => file,
-    owner  => $puppetdb_user,
+    owner  => 'root',
     group  => $puppetdb_group,
-    mode   => '0600',
+    mode   => '0640',
   }
 
   # Set the defaults
diff --git a/manifests/server/read_database.pp b/manifests/server/read_database.pp
@@ -14,7 +14,6 @@
   $conn_keep_alive        = $puppetdb::params::read_conn_keep_alive,
   $conn_lifetime          = $puppetdb::params::read_conn_lifetime,
   $confdir                = $puppetdb::params::confdir,
-  $puppetdb_user          = $puppetdb::params::puppetdb_user,
   $puppetdb_group         = $puppetdb::params::puppetdb_group,
   $database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
   $postgresql_ssl_on      = $puppetdb::params::postgresql_ssl_on,
@@ -47,9 +46,9 @@
 
     file { $read_database_ini:
       ensure => file,
-      owner  => $puppetdb_user,
+      owner  => 'root',
       group  => $puppetdb_group,
-      mode   => '0600',
+      mode   => '0640',
     }
 
     $file_require = File[$read_database_ini]
diff --git a/spec/unit/classes/server/database_ini_spec.rb b/spec/unit/classes/server/database_ini_spec.rb
@@ -19,9 +19,9 @@
         is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/database.ini')
           .with(
             'ensure'  => 'file',
-            'owner'   => 'puppetdb',
+            'owner'   => 'root',
             'group'   => 'puppetdb',
-            'mode'    => '0600',
+            'mode'    => '0640',
           )
       }
       it {
diff --git a/spec/unit/classes/server/global_ini_spec.rb b/spec/unit/classes/server/global_ini_spec.rb
@@ -26,9 +26,9 @@
         is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/config.ini')
           .with(
             'ensure'  => 'file',
-            'owner'   => 'puppetdb',
+            'owner'   => 'root',
             'group'   => 'puppetdb',
-            'mode'    => '0600',
+            'mode'    => '0640',
           )
       }
     end
diff --git a/spec/unit/classes/server/jetty_ini_spec.rb b/spec/unit/classes/server/jetty_ini_spec.rb
@@ -16,9 +16,9 @@
         is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/jetty.ini')
           .with(
             'ensure'  => 'file',
-            'owner'   => 'puppetdb',
+            'owner'   => 'root',
             'group'   => 'puppetdb',
-            'mode'    => '0600',
+            'mode'    => '0640',
           )
       }
       it {
diff --git a/spec/unit/classes/server/puppetdb_ini_spec.rb b/spec/unit/classes/server/puppetdb_ini_spec.rb
@@ -36,9 +36,9 @@
         is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini')
           .with(
             'ensure'  => 'file',
-            'owner'   => 'puppetdb',
+            'owner'   => 'root',
             'group'   => 'puppetdb',
-            'mode'    => '0600',
+            'mode'    => '0640',
           )
       }
       it {
diff --git a/spec/unit/classes/server/read_database_ini_spec.rb b/spec/unit/classes/server/read_database_ini_spec.rb
@@ -29,9 +29,9 @@
         is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini')
           .with(
             'ensure'  => 'file',
-            'owner'   => 'puppetdb',
+            'owner'   => 'root',
             'group'   => 'puppetdb',
-            'mode'    => '0600',
+            'mode'    => '0640',
           )
       }
       it {
diff --git a/spec/unit/classes/server_spec.rb b/spec/unit/classes/server_spec.rb
@@ -202,9 +202,9 @@
             is_expected.to contain_file('/etc/puppetlabs/puppetdb/ssl/private.pk8')
               .with(
                 ensure: 'present',
-                owner: 'puppetdb',
+                owner: 'root',
                 group: 'puppetdb',
-                mode: '0600',
+                mode: '0640',
               )
           end
         end

Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,9 @@`
`19`	`19`	`is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/database.ini')`
`20`	`20`	`.with(`
`21`	`21`	`'ensure' => 'file',`
`22`		`- 'owner' => 'puppetdb',`
	`22`	`+ 'owner' => 'root',`
`23`	`23`	`'group' => 'puppetdb',`
`24`		`- 'mode' => '0600',`
	`24`	`+ 'mode' => '0640',`
`25`	`25`	`)`
`26`	`26`	`}`
`27`	`27`	`it {`
Original file line number	Diff line number	Diff line change
`@@ -26,9 +26,9 @@`
`26`	`26`	`is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/config.ini')`
`27`	`27`	`.with(`
`28`	`28`	`'ensure' => 'file',`
`29`		`- 'owner' => 'puppetdb',`
	`29`	`+ 'owner' => 'root',`
`30`	`30`	`'group' => 'puppetdb',`
`31`		`- 'mode' => '0600',`
	`31`	`+ 'mode' => '0640',`
`32`	`32`	`)`
`33`	`33`	`}`
`34`	`34`	`end`
Original file line number	Diff line number	Diff line change
`@@ -16,9 +16,9 @@`
`16`	`16`	`is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/jetty.ini')`
`17`	`17`	`.with(`
`18`	`18`	`'ensure' => 'file',`
`19`		`- 'owner' => 'puppetdb',`
	`19`	`+ 'owner' => 'root',`
`20`	`20`	`'group' => 'puppetdb',`
`21`		`- 'mode' => '0600',`
	`21`	`+ 'mode' => '0640',`
`22`	`22`	`)`
`23`	`23`	`}`
`24`	`24`	`it {`
Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,9 @@`
`36`	`36`	`is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini')`
`37`	`37`	`.with(`
`38`	`38`	`'ensure' => 'file',`
`39`		`- 'owner' => 'puppetdb',`
	`39`	`+ 'owner' => 'root',`
`40`	`40`	`'group' => 'puppetdb',`
`41`		`- 'mode' => '0600',`
	`41`	`+ 'mode' => '0640',`
`42`	`42`	`)`
`43`	`43`	`}`
`44`	`44`	`it {`