Secure paths that may contain sensitive information.

This includes SSL certs, checks, etc.  Leaving these world readable is a
serious security issue, since an exploit of any service on the system
will provide access to a great deal of privileged information.  The SSL
certs are obvious, but checks may include things like passwords for
other services.

providers/base_config.rb

@@ -5,7 +5,6 @@
   )
 
   sensu_json_file ::File.join(node.sensu.directory, "config.json") do
-    mode 0644
     content Sensu::Helpers.sanitize(definitions)
   end
 end

providers/check.rb

@@ -16,7 +16,6 @@ def load_current_resource
   }
 
   sensu_json_file @definition_path do
-    mode 0644
     content definition
   end
 end

providers/client.rb

@@ -9,7 +9,6 @@
   }
 
   sensu_json_file ::File.join(node.sensu.directory, "conf.d", "client.json") do
-    mode 0644
     content definition
   end
 end

providers/filter.rb

@@ -16,7 +16,6 @@ def load_current_resource
   }
 
   sensu_json_file @definition_path do
-    mode 0644
     content definition
   end
 end

providers/handler.rb

@@ -16,7 +16,6 @@ def load_current_resource
   }
 
   sensu_json_file @definition_path do
-    mode 0644
     content definition
   end
 end

providers/json_file.rb

@@ -2,10 +2,14 @@
   unless Sensu::JSONFile.compare_content(new_resource.path, new_resource.content)
     directory ::File.dirname(new_resource.path) do
       recursive true
-      mode 0755
+      owner new_resource.owner
+      owner new_resource.group
+      mode 0750
     end
 
     file new_resource.path do
+      owner new_resource.owner
+      group new_resource.group
       mode new_resource.mode
       content Sensu::JSONFile.dump_json(new_resource.content)
       notifies :create, "ruby_block[sensu_service_trigger]", :immediately

providers/mutator.rb

@@ -16,7 +16,6 @@ def load_current_resource
   }
 
   sensu_json_file @definition_path do
-    mode 0644
     content definition
   end
 end

providers/snippet.rb

@@ -9,7 +9,6 @@ def load_current_resource
   }
 
   sensu_json_file @definition_path do
-    mode 0644
     content definition
   end
 end

recipes/default.rb

@@ -35,12 +35,14 @@
   owner "sensu"
   group "sensu"
   recursive true
-  mode 0755
+  mode 0750
 end
 
 directory File.join(node.sensu.directory, "conf.d") do
+  owner "root"
+  group "sensu"
   recursive true
-  mode 0755
+  mode 0750
 end
 
 if node.sensu.use_ssl
@@ -54,12 +56,16 @@
 
   file node.sensu.rabbitmq.ssl.cert_chain_file do
     content ssl["client"]["cert"]
-    mode 0644
+    owner "root"
+    group "sensu"
+    mode 0640
   end
 
   file node.sensu.rabbitmq.ssl.private_key_file do
     content ssl["client"]["key"]
-    mode 0644
+    owner "root"
+    group "sensu"
+    mode 0640
   end
 else
   if node.sensu.rabbitmq.port == 5671

recipes/rabbitmq.rb

@@ -37,7 +37,8 @@
     path = File.join(ssl_directory, "#{item}.pem")
     file path do
       content ssl["server"][item]
-      mode 0644
+      group "rabbitmq"
+      mode 0640
     end
     node.override.rabbitmq["ssl_#{item}"] = path
   end

resources/json_file.rb

@@ -1,7 +1,9 @@
 actions :create, :delete
 
 attribute :path, :name_attribute => true
-attribute :mode, :kind_of => [String, Integer]
+attribute :owner, :kind_of => String, :default => 'root'
+attribute :group, :kind_of => String, :default => 'sensu'
+attribute :mode, :kind_of => [String, Integer], :default => 0640
 attribute :content, :kind_of => Hash
 
 def initialize(*args)