Allow change of file mode for generated files

Question

Allow change of file mode for generated files

Closed this issue 6 years ago · 7 comments

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 4.10.4
Ruby: 1.8.7
Distribution: Redhat 6.9
Module version: 2.0.0

We need to fix security issues reported by OpenScap. One of those issues points out that the permissions of files which were installed by a RPM should always stay the same.
This module changes the permissions of:

/etc/cron.daily/logrotate
/etc/logrotate.conf
though.

What are you seeing

Permission are getting changed during the Puppet run:

Notice: /Stage[main]/Logrotate::Config/Logrotate::Cron[daily]/File[/etc/cron.daily/logrotate]/mode: mode changed '0700' to '0555'
Notice: /Stage[main]/Logrotate::Defaults/Logrotate::Conf[/etc/logrotate.conf]/File[/etc/logrotate.conf]/mode: mode changed '0644' to '0444'

What behaviour did you expect instead

No mode change of files which were delivered by a RPM package.

Answer 1 · 2017-09-29T06:49:19.000Z

Fix would require adding file mode parameters to cron defined type, and also a parameter somewhere else to change mode for /etc/logrotate.conf

Answer 2 · 2017-09-29T12:41:28.000Z

Sorry - I disagree.

The mode for /etc/logrotate.conf ist explicitly set inside conf.pp:
file { $name: ensure => $ensure, owner => $logrotate::root_user, group => $logrotate::root_group, mode => '0444', content => template('logrotate/etc/logrotate.conf.erb'), require => Package['logrotate'], }
Setting the file mode at this point makes no sense.

...Fix would require adding file mode parameters to cron defined type...

If I switch it of with
logrotate::manage_cron_daily: false
this problem is gone.

Answer 3 · 2017-10-01T10:45:08.000Z

@hoggle64 Miscommunication on my part here. My comment was outlining potential code in a new Pull Request that would be needed to fix your problem.

Answer 4 · 2017-10-09T09:11:14.000Z

o.k. - thanks for the update

Answer 5 · 2018-03-30T21:22:33.000Z

+1 - We are also being dinged for OpenSCAP (security scan)

It would be nice, if these parameters were added, if they matched the RPM permissions by default :)

# rpm -V logrotate
SM5....T.  c /etc/cron.daily/logrotate
SM5....T.  c /etc/logrotate.conf
# ls -l /etc/logrotate.conf /etc/cron.daily/logrotate
-r-xr-xr-x. 1 root root 313 Mar 16 16:01 /etc/cron.daily/logrotate
-r--r--r--. 1 root root 175 Mar 16 16:01 /etc/logrotate.conf
# rpm -qlv logrotate | head -2
-rwx------    1 root    root                      219 Jan 24  2017 /etc/cron.daily/logrotate
-rw-r--r--    1 root    root                      662 Jul 31  2013 /etc/logrotate.conf

Answer 6 · 2018-03-30T22:48:54.000Z

@TJM could you provide a fix for that?

Answer 7 · 2018-04-02T22:01:57.000Z

@bastelfreak would it be wrong to convert to module hiera data to add this feature? :-/