Set sensible permissions on generated configs

[lukasjuhrich]

Currently, all the files generated with hades-generate-config.py are created in python by just using open() leaving them with the default mode -rw-r--r--, which makes them world-readable. This is not desirable for files containing secrets, such as auth_vrrp/keepalived.conf, wich contains the VRRP-Password.

I propose to add a mode argument to hades-generate-config.py and to change invocations in the systemd unit files by adding --mode=600.

Example (hades-auth-vrrp.service):

change

ExecStartPre=@bindir@/hades-generate-config auth-keepalived.conf.j2 @pkgrunstatedir@/auth-vrrp/keepalived.conf

to

ExecStartPre=@bindir@/hades-generate-config --mode=600 auth-keepalived.conf.j2 @pkgrunstatedir@/auth-vrrp/keepalived.conf

[sebschrader]

Good idea.

[lukasjuhrich]

@sebschrader where/when has this been fixed?

[sebschrader]

It's been implemented in 2d7c459, but apparently I forgot to mention the issue in the message.

[sebschrader]

Home directories under /var/lib/hades and the config directory /etc/hades are still world-readable.

[lukasjuhrich]

Why should subdirectories of /etc not be world readable? Lots of other software does this and it does not impose a security risk a priori.

[sebschrader]

It depends on its contents. Not everything in /etc is word readable, take /etc/ldap.secret, /etc/ssl/private, or /etc/shadow for example.

In the case of Hades /etc/hades/config.py, currently the only file in this directory, contains the VRRP secrets you wanted to protect with this issue. It doesn't make any sense to protect the generated config files, when the original source of data remains world readable.

[sebschrader]

This has been addressed.