From 36a8cd83f29d9f032d0b1cf04bff1f00b0fc52ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Mon, 7 Feb 2022 12:18:41 -1000 Subject: [PATCH] (maint) Restrict file permissions PuppetDB runs as the puppetdb user. This user must have read access to the various configuration files but does not need write access to them. This ensure the service configuration cannot be unexpectedly changed by PuppetDB itself if some vulnerability allow random code execution, limiting the possibilities of exploitation and pivoting if such a vulnerability is found. --- manifests/server.pp | 24 ++++++++----------- manifests/server/database.pp | 5 ++-- manifests/server/jetty.pp | 5 ++-- manifests/server/puppetdb.pp | 5 ++-- manifests/server/read_database.pp | 5 ++-- spec/unit/classes/server/database_ini_spec.rb | 4 ++-- spec/unit/classes/server/jetty_ini_spec.rb | 4 ++-- spec/unit/classes/server/puppetdb_ini_spec.rb | 4 ++-- .../classes/server/read_database_ini_spec.rb | 4 ++-- spec/unit/classes/server_spec.rb | 4 ++-- 10 files changed, 28 insertions(+), 36 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index 6cae51d5..c04fd982 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -478,7 +478,6 @@ conn_max_age => $conn_max_age, conn_lifetime => $conn_lifetime, confdir => $confdir, - puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, migrate => $migrate, notify => Service[$puppetdb_service], @@ -510,7 +509,6 @@ conn_max_age => $read_conn_max_age, conn_lifetime => $read_conn_lifetime, confdir => $confdir, - puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, notify => Service[$puppetdb_service], database_max_pool_size => $read_database_max_pool_size, @@ -520,29 +518,29 @@ file { $ssl_dir: ensure => directory, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0700'; + mode => '0755'; $ssl_key_path: ensure => file, content => $ssl_key, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0640', notify => Service[$puppetdb_service]; $ssl_cert_path: ensure => file, content => $ssl_cert, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0644', notify => Service[$puppetdb_service]; $ssl_ca_cert_path: ensure => file, content => $ssl_ca_cert, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0644', notify => Service[$puppetdb_service]; } } @@ -560,9 +558,9 @@ file { $ssl_key_pk8_path: ensure => file, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0640', notify => Service[$puppetdb_service], } } @@ -583,7 +581,6 @@ confdir => $confdir, max_threads => $max_threads, notify => Service[$puppetdb_service], - puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, } @@ -592,7 +589,6 @@ certificate_whitelist => $certificate_whitelist, disable_update_checking => $disable_update_checking, confdir => $confdir, - puppetdb_user => $puppetdb_user, puppetdb_group => $puppetdb_group, notify => Service[$puppetdb_service], } diff --git a/manifests/server/database.pp b/manifests/server/database.pp index 087f07b7..2e835e02 100644 --- a/manifests/server/database.pp +++ b/manifests/server/database.pp @@ -19,7 +19,6 @@ $conn_max_age = $puppetdb::params::conn_max_age, $conn_lifetime = $puppetdb::params::conn_lifetime, $confdir = $puppetdb::params::confdir, - $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, $database_max_pool_size = $puppetdb::params::database_max_pool_size, $migrate = $puppetdb::params::migrate, @@ -50,9 +49,9 @@ file { $database_ini: ensure => file, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0640', } $file_require = File[$database_ini] diff --git a/manifests/server/jetty.pp b/manifests/server/jetty.pp index 1dca0670..9a4bbb47 100644 --- a/manifests/server/jetty.pp +++ b/manifests/server/jetty.pp @@ -16,16 +16,15 @@ Optional[String] $cipher_suites = $puppetdb::params::cipher_suites, $confdir = $puppetdb::params::confdir, $max_threads = $puppetdb::params::max_threads, - $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, ) inherits puppetdb::params { $jetty_ini = "${confdir}/jetty.ini" file { $jetty_ini: ensure => file, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0640', } # Set the defaults diff --git a/manifests/server/puppetdb.pp b/manifests/server/puppetdb.pp index 1057be19..001547df 100644 --- a/manifests/server/puppetdb.pp +++ b/manifests/server/puppetdb.pp @@ -6,16 +6,15 @@ $certificate_whitelist = $puppetdb::params::certificate_whitelist, $disable_update_checking = $puppetdb::params::disable_update_checking, $confdir = $puppetdb::params::confdir, - $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, ) inherits puppetdb::params { $puppetdb_ini = "${confdir}/puppetdb.ini" file { $puppetdb_ini: ensure => file, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0640', } # Set the defaults diff --git a/manifests/server/read_database.pp b/manifests/server/read_database.pp index b6155162..15aa2e7a 100644 --- a/manifests/server/read_database.pp +++ b/manifests/server/read_database.pp @@ -13,7 +13,6 @@ $conn_max_age = $puppetdb::params::read_conn_max_age, $conn_lifetime = $puppetdb::params::read_conn_lifetime, $confdir = $puppetdb::params::confdir, - $puppetdb_user = $puppetdb::params::puppetdb_user, $puppetdb_group = $puppetdb::params::puppetdb_group, $database_max_pool_size = $puppetdb::params::read_database_max_pool_size, $postgresql_ssl_on = $puppetdb::params::postgresql_ssl_on, @@ -44,9 +43,9 @@ file { $read_database_ini: ensure => file, - owner => $puppetdb_user, + owner => 'root', group => $puppetdb_group, - mode => '0600', + mode => '0640', } $file_require = File[$read_database_ini] diff --git a/spec/unit/classes/server/database_ini_spec.rb b/spec/unit/classes/server/database_ini_spec.rb index 4d6a5810..4d9d7fa5 100644 --- a/spec/unit/classes/server/database_ini_spec.rb +++ b/spec/unit/classes/server/database_ini_spec.rb @@ -20,9 +20,9 @@ is_expected.to contain_file("#{pdbconfdir}/database.ini") .with( 'ensure' => 'file', - 'owner' => 'puppetdb', + 'owner' => 'root', 'group' => 'puppetdb', - 'mode' => '0600', + 'mode' => '0640', ) } it { diff --git a/spec/unit/classes/server/jetty_ini_spec.rb b/spec/unit/classes/server/jetty_ini_spec.rb index ce322bc6..1baf749b 100644 --- a/spec/unit/classes/server/jetty_ini_spec.rb +++ b/spec/unit/classes/server/jetty_ini_spec.rb @@ -20,9 +20,9 @@ is_expected.to contain_file("#{pdbconfdir}/jetty.ini") .with( 'ensure' => 'file', - 'owner' => 'puppetdb', + 'owner' => 'root', 'group' => 'puppetdb', - 'mode' => '0600', + 'mode' => '0640', ) } it { diff --git a/spec/unit/classes/server/puppetdb_ini_spec.rb b/spec/unit/classes/server/puppetdb_ini_spec.rb index 14d8907e..8ccb1bc3 100644 --- a/spec/unit/classes/server/puppetdb_ini_spec.rb +++ b/spec/unit/classes/server/puppetdb_ini_spec.rb @@ -30,9 +30,9 @@ is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini') .with( 'ensure' => 'file', - 'owner' => 'puppetdb', + 'owner' => 'root', 'group' => 'puppetdb', - 'mode' => '0600', + 'mode' => '0640', ) } it { diff --git a/spec/unit/classes/server/read_database_ini_spec.rb b/spec/unit/classes/server/read_database_ini_spec.rb index a5f189f0..277104a3 100644 --- a/spec/unit/classes/server/read_database_ini_spec.rb +++ b/spec/unit/classes/server/read_database_ini_spec.rb @@ -20,9 +20,9 @@ is_expected.to contain_file('/etc/puppetlabs/puppetdb/conf.d/read_database.ini') .with( 'ensure' => 'file', - 'owner' => 'puppetdb', + 'owner' => 'root', 'group' => 'puppetdb', - 'mode' => '0600', + 'mode' => '0640', ) } it { diff --git a/spec/unit/classes/server_spec.rb b/spec/unit/classes/server_spec.rb index 78cd4f49..7b9a3e11 100644 --- a/spec/unit/classes/server_spec.rb +++ b/spec/unit/classes/server_spec.rb @@ -210,9 +210,9 @@ is_expected.to contain_file('/etc/puppetlabs/puppetdb/ssl/private.pk8') .with( ensure: 'file', - owner: 'puppetdb', + owner: 'root', group: 'puppetdb', - mode: '0600', + mode: '0640', ) end end