Skip to content

Commit

Permalink
(maint) Restrict file permissions
Browse files Browse the repository at this point in the history 
PuppetDB runs as the puppetdb user.  This user must have read access to
the various configuration files but does not need write access to them.

This ensure the service configuration cannot be unexpectedly changed by
PuppetDB itself if some vulnerability allow random code execution,
limiting the possibilities of exploitation and pivoting if such a
vulnerability is found.
  • Loading branch information
@smortex @h0tw1r3
smortex authored and h0tw1r3 committed Feb 7, 2022
1 parent 3afd693 commit 36a8cd8
Show file tree
Hide file tree
Showing 10 changed files with 28 additions and 36 deletions.
24 changes: 10 additions & 14 deletions manifests/server.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -478,7 +478,6 @@
conn_max_age => $conn_max_age,
conn_lifetime => $conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
migrate => $migrate,
notify => Service[$puppetdb_service],
Expand Down Expand Up @@ -510,7 +509,6 @@
conn_max_age => $read_conn_max_age,
conn_lifetime => $read_conn_lifetime,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
database_max_pool_size => $read_database_max_pool_size,
Expand All @@ -520,29 +518,29 @@
file {
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0700';
mode => '0755';
$ssl_key_path:
ensure => file,
content => $ssl_key,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
notify => Service[$puppetdb_service];
$ssl_cert_path:
ensure => file,
content => $ssl_cert,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0644',
notify => Service[$puppetdb_service];
$ssl_ca_cert_path:
ensure => file,
content => $ssl_ca_cert,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0644',
notify => Service[$puppetdb_service];
}
}
Expand All @@ -560,9 +558,9 @@

file { $ssl_key_pk8_path:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
notify => Service[$puppetdb_service],
}
}
Expand All @@ -583,7 +581,6 @@
confdir => $confdir,
max_threads => $max_threads,
notify => Service[$puppetdb_service],
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
}

Expand All @@ -592,7 +589,6 @@
certificate_whitelist => $certificate_whitelist,
disable_update_checking => $disable_update_checking,
confdir => $confdir,
puppetdb_user => $puppetdb_user,
puppetdb_group => $puppetdb_group,
notify => Service[$puppetdb_service],
}
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/database.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
$conn_max_age = $puppetdb::params::conn_max_age,
$conn_lifetime = $puppetdb::params::conn_lifetime,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$database_max_pool_size = $puppetdb::params::database_max_pool_size,
$migrate = $puppetdb::params::migrate,
Expand Down Expand Up @@ -50,9 +49,9 @@

file { $database_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

$file_require = File[$database_ini]
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/jetty.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,16 +16,15 @@
Optional[String] $cipher_suites = $puppetdb::params::cipher_suites,
$confdir = $puppetdb::params::confdir,
$max_threads = $puppetdb::params::max_threads,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {
$jetty_ini = "${confdir}/jetty.ini"

file { $jetty_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

# Set the defaults
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/puppetdb.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,15 @@
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
$disable_update_checking = $puppetdb::params::disable_update_checking,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
) inherits puppetdb::params {
$puppetdb_ini = "${confdir}/puppetdb.ini"

file { $puppetdb_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

# Set the defaults
Expand Down
5 changes: 2 additions & 3 deletions manifests/server/read_database.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@
$conn_max_age = $puppetdb::params::read_conn_max_age,
$conn_lifetime = $puppetdb::params::read_conn_lifetime,
$confdir = $puppetdb::params::confdir,
$puppetdb_user = $puppetdb::params::puppetdb_user,
$puppetdb_group = $puppetdb::params::puppetdb_group,
$database_max_pool_size = $puppetdb::params::read_database_max_pool_size,
$postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on,
Expand Down Expand Up @@ -44,9 +43,9 @@

file { $read_database_ini:
ensure => file,
owner => $puppetdb_user,
owner => 'root',
group => $puppetdb_group,
mode => '0600',
mode => '0640',
}

$file_require = File[$read_database_ini]
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/database_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file("#{pdbconfdir}/database.ini")
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/jetty_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file("#{pdbconfdir}/jetty.ini")
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/puppetdb_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini')
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server/read_database_ini_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini')
.with(
'ensure' => 'file',
'owner' => 'puppetdb',
'owner' => 'root',
'group' => 'puppetdb',
'mode' => '0600',
'mode' => '0640',
)
}
it {
Expand Down
4 changes: 2 additions & 2 deletions spec/unit/classes/server_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,9 +210,9 @@
is_expected.to contain_file('/etc/puppetlabs/puppetdb/ssl/private.pk8')
.with(
ensure: 'file',
owner: 'puppetdb',
owner: 'root',
group: 'puppetdb',
mode: '0600',
mode: '0640',
)
end
end
Expand Down

0 comments on commit 36a8cd8

Please sign in to comment.