From e11bdf4dc008f8020eef0c3f3229b4ecd8c31d12 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Fri, 11 Aug 2023 13:31:17 +0200
Subject: [PATCH] Fixes #36760 - Limit access to server.xml

Prior to this the file was world readable, even though it contained
passwords for the keystore. That keystore was limited to just the
correct group, so it's not directly exploitable but these kind of things
might be used in more complex attacks.

Fixes: 832bafa66c9f ("Initial commit of Candlepin module from the original katello-installer.")
---
 manifests/config.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/config.pp b/manifests/config.pp
index f6a9e67..964ce8a 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -28,9 +28,9 @@
   file { '/etc/tomcat/server.xml':
     ensure  => file,
     content => template('candlepin/tomcat/server.xml.erb'),
-    mode    => '0644',
+    mode    => '0640',
     owner   => 'root',
-    group   => 'root',
+    group   => $candlepin::group,
   }
 
   file { '/etc/tomcat/tomcat.conf':