diff options
| author | Teemu Matilainen <teemu.matilainen@reaktor.fi> | 2012-10-10 13:08:12 -0300 |
|---|---|---|
| committer | Bryan McLellan <btm@opscode.com> | 2012-10-11 11:35:17 -0700 |
| commit | 92de5f30626fafc539082f49b6e829cbb71d30e3 (patch) | |
| tree | d32cdec51d92de6e8a4c8913974554186db758ca | |
| parent | c823e49f681383c798adbbd8f57e3fc01a85fcd6 (diff) | |
| download | chef-92de5f30626fafc539082f49b6e829cbb71d30e3.tar.gz | |
[CHEF-3413] Protect secret files created by bootstrap templates
Set /etc/chef/validation.pem and /etc/chef/encrypted_data_bag_secret
only readable by root.
7 files changed, 14 insertions, 1 deletions
diff --git a/chef/lib/chef/knife/bootstrap/archlinux-gems.erb b/chef/lib/chef/knife/bootstrap/archlinux-gems.erb index 6dd57cc64d..85d6236197 100644 --- a/chef/lib/chef/knife/bootstrap/archlinux-gems.erb +++ b/chef/lib/chef/knife/bootstrap/archlinux-gems.erb @@ -17,6 +17,7 @@ EOP ) > /tmp/validation.pem awk NF /tmp/validation.pem > /etc/chef/validation.pem rm /tmp/validation.pem +chmod 0600 /etc/chef/validation.pem <% if @chef_config[:encrypted_data_bag_secret] -%> ( @@ -26,6 +27,7 @@ EOP ) > /tmp/encrypted_data_bag_secret awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret rm /tmp/encrypted_data_bag_secret +chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> <%# Generate Ohai Hints -%> diff --git a/chef/lib/chef/knife/bootstrap/centos5-gems.erb b/chef/lib/chef/knife/bootstrap/centos5-gems.erb index 2b1b1816fe..f9626c3c2b 100644 --- a/chef/lib/chef/knife/bootstrap/centos5-gems.erb +++ b/chef/lib/chef/knife/bootstrap/centos5-gems.erb @@ -30,6 +30,7 @@ EOP ) > /tmp/validation.pem awk NF /tmp/validation.pem > /etc/chef/validation.pem rm /tmp/validation.pem +chmod 0600 /etc/chef/validation.pem <% if @chef_config[:encrypted_data_bag_secret] -%> ( @@ -39,6 +40,7 @@ EOP ) > /tmp/encrypted_data_bag_secret awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret rm /tmp/encrypted_data_bag_secret +chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> <%# Generate Ohai Hints -%> diff --git a/chef/lib/chef/knife/bootstrap/chef-full.erb b/chef/lib/chef/knife/bootstrap/chef-full.erb index c02245690d..771ef85884 100644 --- a/chef/lib/chef/knife/bootstrap/chef-full.erb +++ b/chef/lib/chef/knife/bootstrap/chef-full.erb @@ -32,7 +32,7 @@ EOP ) > /tmp/validation.pem awk NF /tmp/validation.pem > /etc/chef/validation.pem rm /tmp/validation.pem - +chmod 0600 /etc/chef/validation.pem <% if @chef_config[:encrypted_data_bag_secret] -%> ( @@ -42,6 +42,7 @@ EOP ) > /tmp/encrypted_data_bag_secret awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret rm /tmp/encrypted_data_bag_secret +chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> <%# Generate Ohai Hints -%> diff --git a/chef/lib/chef/knife/bootstrap/fedora13-gems.erb b/chef/lib/chef/knife/bootstrap/fedora13-gems.erb index a216b4e313..a8448342df 100644 --- a/chef/lib/chef/knife/bootstrap/fedora13-gems.erb +++ b/chef/lib/chef/knife/bootstrap/fedora13-gems.erb @@ -17,6 +17,7 @@ EOP ) > /tmp/validation.pem awk NF /tmp/validation.pem > /etc/chef/validation.pem rm /tmp/validation.pem +chmod 0600 /etc/chef/validation.pem <% if @chef_config[:encrypted_data_bag_secret] -%> ( @@ -26,6 +27,7 @@ EOP ) > /tmp/encrypted_data_bag_secret awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret rm /tmp/encrypted_data_bag_secret +chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> <%# Generate Ohai Hints -%> diff --git a/chef/lib/chef/knife/bootstrap/ubuntu10.04-apt.erb b/chef/lib/chef/knife/bootstrap/ubuntu10.04-apt.erb index 14a924e032..0e44361d82 100644 --- a/chef/lib/chef/knife/bootstrap/ubuntu10.04-apt.erb +++ b/chef/lib/chef/knife/bootstrap/ubuntu10.04-apt.erb @@ -17,6 +17,7 @@ EOP ) > /tmp/validation.pem awk NF /tmp/validation.pem > /etc/chef/validation.pem rm /tmp/validation.pem +chmod 0600 /etc/chef/validation.pem <% if @chef_config[:encrypted_data_bag_secret] -%> ( @@ -26,6 +27,7 @@ EOP ) > /tmp/encrypted_data_bag_secret awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret rm /tmp/encrypted_data_bag_secret +chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> <%# Generate Ohai Hints -%> diff --git a/chef/lib/chef/knife/bootstrap/ubuntu10.04-gems.erb b/chef/lib/chef/knife/bootstrap/ubuntu10.04-gems.erb index 88dcc48286..63448fc4d3 100644 --- a/chef/lib/chef/knife/bootstrap/ubuntu10.04-gems.erb +++ b/chef/lib/chef/knife/bootstrap/ubuntu10.04-gems.erb @@ -24,6 +24,7 @@ EOP ) > /tmp/validation.pem awk NF /tmp/validation.pem > /etc/chef/validation.pem rm /tmp/validation.pem +chmod 0600 /etc/chef/validation.pem <% if @chef_config[:encrypted_data_bag_secret] -%> ( @@ -33,6 +34,7 @@ EOP ) > /tmp/encrypted_data_bag_secret awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret rm /tmp/encrypted_data_bag_secret +chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> <%# Generate Ohai Hints -%> diff --git a/chef/lib/chef/knife/bootstrap/ubuntu12.04-gems.erb b/chef/lib/chef/knife/bootstrap/ubuntu12.04-gems.erb index df128300db..e7da7db39b 100644 --- a/chef/lib/chef/knife/bootstrap/ubuntu12.04-gems.erb +++ b/chef/lib/chef/knife/bootstrap/ubuntu12.04-gems.erb @@ -19,6 +19,7 @@ EOP ) > /tmp/validation.pem awk NF /tmp/validation.pem > /etc/chef/validation.pem rm /tmp/validation.pem +chmod 0600 /etc/chef/validation.pem <% if @chef_config[:encrypted_data_bag_secret] -%> ( @@ -28,6 +29,7 @@ EOP ) > /tmp/encrypted_data_bag_secret awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret rm /tmp/encrypted_data_bag_secret +chmod 0600 /etc/chef/encrypted_data_bag_secret <% end -%> <%# Generate Ohai Hints -%> |