Allow change of file mode for generated files
Closed this issue · 7 comments
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 4.10.4
- Ruby: 1.8.7
- Distribution: Redhat 6.9
- Module version: 2.0.0
We need to fix security issues reported by OpenScap. One of those issues points out that the permissions of files which were installed by a RPM should always stay the same.
This module changes the permissions of:
- /etc/cron.daily/logrotate
- /etc/logrotate.conf
though.
What are you seeing
Permission are getting changed during the Puppet run:
Notice: /Stage[main]/Logrotate::Config/Logrotate::Cron[daily]/File[/etc/cron.daily/logrotate]/mode: mode changed '0700' to '0555'
Notice: /Stage[main]/Logrotate::Defaults/Logrotate::Conf[/etc/logrotate.conf]/File[/etc/logrotate.conf]/mode: mode changed '0644' to '0444'
What behaviour did you expect instead
No mode change of files which were delivered by a RPM package.
Fix would require adding file mode parameters to cron defined type, and also a parameter somewhere else to change mode for /etc/logrotate.conf
Sorry - I disagree.
The mode for /etc/logrotate.conf ist explicitly set inside conf.pp:
file { $name: ensure => $ensure, owner => $logrotate::root_user, group => $logrotate::root_group, mode => '0444', content => template('logrotate/etc/logrotate.conf.erb'), require => Package['logrotate'], }
Setting the file mode at this point makes no sense.
...Fix would require adding file mode parameters to cron defined type...
If I switch it of with
logrotate::manage_cron_daily: false
this problem is gone.
@hoggle64 Miscommunication on my part here. My comment was outlining potential code in a new Pull Request that would be needed to fix your problem.
o.k. - thanks for the update
+1 - We are also being dinged for OpenSCAP (security scan)
It would be nice, if these parameters were added, if they matched the RPM permissions by default :)
# rpm -V logrotate
SM5....T. c /etc/cron.daily/logrotate
SM5....T. c /etc/logrotate.conf
# ls -l /etc/logrotate.conf /etc/cron.daily/logrotate
-r-xr-xr-x. 1 root root 313 Mar 16 16:01 /etc/cron.daily/logrotate
-r--r--r--. 1 root root 175 Mar 16 16:01 /etc/logrotate.conf
# rpm -qlv logrotate | head -2
-rwx------ 1 root root 219 Jan 24 2017 /etc/cron.daily/logrotate
-rw-r--r-- 1 root root 662 Jul 31 2013 /etc/logrotate.conf
@TJM could you provide a fix for that?
@bastelfreak would it be wrong to convert to module hiera data to add this feature? :-/