Restrict configuration file permissions

[smortex]

PuppetDB runs as the puppetdb user. This user must have read access to the various configuration files but does not need write access to them.

This ensure the service configuration cannot be unexpectedly changed by PuppetDB itself if some vulnerability allow random code execution, limiting the possibilities of exploitation and pivoting if such a vulnerability is found.

This is a companion PR to #342: the FreeBSD port insists on secure file permissions and will enforce them when the service start. On next Puppet run, the module will consider it configuration drift and revert the previous less paranoid configuration and reload the service which will harden the files mode immediatly. Rather than optionaly ignoning the files mode, it makes more sense to use an hardened configuration by default.

[puppet-community-rangefinder]

puppetdb::server is a class

that may have no external impact to Forge modules.

puppetdb::server::database is a class

that may have no external impact to Forge modules.

puppetdb::server::global is a class

that may have no external impact to Forge modules.

puppetdb::server::jetty is a class

that may have no external impact to Forge modules.

puppetdb::server::puppetdb is a class

that may have no external impact to Forge modules.

puppetdb::server::read_database is a class

that may have no external impact to Forge modules.

This module is declared in 33 of 578 indexed public Puppetfiles.

---

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

[CLAassistant]

All committers have signed the CLA.