Fix permissions, based on scheme introduced by RabbitMQ 3.7.* #796
Conversation
dhoppe
changed the title
| @@ -161,7 +161,7 @@ | |||
| content => template($config), | |||
| owner => '0', | |||
| group => $rabbitmq_group, | |||
| mode => '0640', | |||
| mode => '0644', | |||
There was a problem hiding this comment.
If the directories themselves are readable by the group, as are the files, I think these files can (and should?) stay 0640?
There was a problem hiding this comment.
I have my doubts, too. On the one hand, SSL certificates should not be readable by everyone, but on the other hand these defaults are given by the SGID bit via /etc/rabbitmq.
Maybe this question can be answered by someone who has more experience with RabbitMQ?
There was a problem hiding this comment.
What do you mean given by the sgid bit on the directory? You can have files with mode 0640 in a directory that’s world readable or executable w sgid bit (say 2755 or 2751). Sgid bit just affects default group ownership of files created in the directory afaik
Narrower version of voxpupuli#796 * Set owner of config directories to rabbitmq user rather than root * Set group of config directories explicitly to rabbitmq, and set setgid bit * Set more restrictive permissions on the SSL directories * Update expectations, and test file permissions in acceptance tests
Narrower version of voxpupuli#796 * Set owner of config directories to rabbitmq user rather than root * Set group of config directories explicitly to rabbitmq, and set setgid bit * Set more restrictive permissions on the SSL directories * Update expectations, and test file permissions in acceptance tests
Fixes #703