Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make SSL file permissions a bit more relaxed for public files #2257

Merged
merged 4 commits into from
Feb 12, 2014
Merged

Make SSL file permissions a bit more relaxed for public files #2257

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
411e8fd
(PUP-1451) Make SSL file permissions a bit more relaxed for public files
Jan 13, 2014
1246979
(PUP-1120) Make modes of public ssl directories explicit
joshcooper Jan 6, 2014
8fb2253
(PUP-1120) Be explicit about group for ssl directory
joshcooper Jan 6, 2014
f1fed00
(PUP-1120) Remove group write permission for ca settings
joshcooper Jan 8, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
37 changes: 27 additions & 10 deletions lib/puppet/defaults.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -539,26 +539,33 @@ def self.default_diffargs
:certdir => {
:default => "$ssldir/certs",
:type => :directory,
:mode => 0755,
:owner => "service",
:group => "service",
:desc => "The certificate directory."
},
:ssldir => {
:default => "$confdir/ssl",
:type => :directory,
:mode => 0771,
:owner => "service",
:group => "service",
:desc => "Where SSL certificates are kept."
},
:publickeydir => {
:default => "$ssldir/public_keys",
:type => :directory,
:mode => 0755,
:owner => "service",
:group => "service",
:desc => "The public key directory."
},
:requestdir => {
:default => "$ssldir/certificate_requests",
:type => :directory,
:mode => 0755,
:owner => "service",
:group => "service",
:desc => "Where host certificate requests are stored."
},
:privatekeydir => {
Expand All @@ -574,13 +581,15 @@ def self.default_diffargs
:type => :directory,
:mode => 0750,
:owner => "service",
:group => "service",
:desc => "Where the client stores private certificate information."
},
:passfile => {
:default => "$privatedir/password",
:type => :file,
:mode => 0640,
:owner => "service",
:group => "service",
:desc => "Where puppet agent stores the password for its private key.
Generally unused."
},
Expand All @@ -589,13 +598,15 @@ def self.default_diffargs
:type => :file,
:mode => 0644,
:owner => "service",
:group => "service",
:desc => "Where individual hosts store and look for their certificate requests."
},
:hostcert => {
:default => "$certdir/$certname.pem",
:type => :file,
:mode => 0644,
:owner => "service",
:group => "service",
:desc => "Where individual hosts store and look for their certificates."
},
:hostprivkey => {
Expand All @@ -611,30 +622,34 @@ def self.default_diffargs
:type => :file,
:mode => 0644,
:owner => "service",
:group => "service",
:desc => "Where individual hosts store and look for their public key."
},
:localcacert => {
:default => "$certdir/ca.pem",
:type => :file,
:mode => 0644,
:owner => "service",
:group => "service",
:desc => "Where each client stores the CA certificate."
},
:ssl_client_ca_auth => {
:type => :file,
:mode => 0644,
:owner => "service",
:group => "service",
:desc => "Certificate authorities who issue server certificates. SSL servers will not be
considered authentic unless they posses a certificate issued by an authority
considered authentic unless they possess a certificate issued by an authority
listed in this file. If this setting has no value then the Puppet master's CA
certificate (localcacert) will be used."
},
:ssl_server_ca_auth => {
:type => :file,
:mode => 0644,
:owner => "service",
:group => "service",
:desc => "Certificate authorities who issue client certificates. SSL clients will not be
considered authentic unless they posses a certificate issued by an authority
considered authentic unless they possess a certificate issued by an authority
listed in this file. If this setting has no value then the Puppet master's CA
certificate (localcacert) will be used."
},
Expand All @@ -643,6 +658,7 @@ def self.default_diffargs
:type => :file,
:mode => 0644,
:owner => "service",
:group => "service",
:desc => "Where the host's certificate revocation list can be found.
This is distinct from the certificate authority's CRL."
},
Expand Down Expand Up @@ -672,70 +688,71 @@ def self.default_diffargs
:type => :directory,
:owner => "service",
:group => "service",
:mode => 0770,
:mode => 0755,
:desc => "The root directory for the certificate authority."
},
:cacert => {
:default => "$cadir/ca_crt.pem",
:type => :file,
:owner => "service",
:group => "service",
:mode => 0660,
:mode => 0644,
:desc => "The CA certificate."
},
:cakey => {
:default => "$cadir/ca_key.pem",
:type => :file,
:owner => "service",
:group => "service",
:mode => 0660,
:mode => 0640,
:desc => "The CA private key."
},
:capub => {
:default => "$cadir/ca_pub.pem",
:type => :file,
:owner => "service",
:group => "service",
:mode => 0644,
:desc => "The CA public key."
},
:cacrl => {
:default => "$cadir/ca_crl.pem",
:type => :file,
:owner => "service",
:group => "service",
:mode => 0664,

:mode => 0644,
:desc => "The certificate revocation list (CRL) for the CA. Will be used if present but otherwise ignored.",
},
:caprivatedir => {
:default => "$cadir/private",
:type => :directory,
:owner => "service",
:group => "service",
:mode => 0770,
:mode => 0750,
:desc => "Where the CA stores private certificate information."
},
:csrdir => {
:default => "$cadir/requests",
:type => :directory,
:owner => "service",
:group => "service",
:mode => 0755,
:desc => "Where the CA stores certificate requests"
},
:signeddir => {
:default => "$cadir/signed",
:type => :directory,
:owner => "service",
:group => "service",
:mode => 0770,
:mode => 0755,
:desc => "Where the CA stores signed certificates."
},
:capass => {
:default => "$caprivatedir/ca.pass",
:type => :file,
:owner => "service",
:group => "service",
:mode => 0660,
:mode => 0640,
:desc => "Where the CA stores the password for the private key."
},
:serial => {
Expand Down