Permalink
Browse files

[CHEF-3413] Protect secret files created by bootstrap templates

Set /etc/chef/validation.pem and /etc/chef/encrypted_data_bag_secret
only readable by root.
  • Loading branch information...
1 parent c823e49 commit 92de5f30626fafc539082f49b6e829cbb71d30e3 @tmatilai tmatilai committed with btm Oct 10, 2012
@@ -17,6 +17,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
+chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
@@ -26,6 +27,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
+chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
@@ -30,6 +30,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
+chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
@@ -39,6 +40,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
+chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
@@ -32,7 +32,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
-
+chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
@@ -42,6 +42,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
+chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
@@ -17,6 +17,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
+chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
@@ -26,6 +27,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
+chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
@@ -17,6 +17,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
+chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
@@ -26,6 +27,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
+chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
@@ -24,6 +24,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
+chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
@@ -33,6 +34,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
+chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
@@ -19,6 +19,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
+chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
@@ -28,6 +29,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
+chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>

0 comments on commit 92de5f3

Please sign in to comment.