ssl_pkey file permissions should default to 0600 and should be changeable

voxpupuli / puppet-openssl

Puppet OpenSSL module

Apache License 2.0

38 stars 84 forks source link

ssl_pkey file permissions should default to 0600 and should be changeable #95

Closed kasimon closed 3 years ago

kasimon commented 7 years ago

As of v1.10.0,

ssl_pkey { '/path/to/private.key':
  ensure => 'present',
}

creates a private key file with 0644 permissions. Given the security critical role of private keys, this should default to 0600 and be changeable with the usual user, group and mode options.

kasimon commented 7 years ago

As I just recognized, you can use a file resource to accomplish this:

  $private_key = '/path/to/private.key'
  ssl_pkey { $private_key:
    ensure => 'present',
  }
  file { $private_key:
    ensure => file,
    owner  => 'root',
    group  => 'root',
    mode   => '0600',
  }

Probably this should be added to the documentation.

raphink commented 6 years ago

I'd definitely welcome a PR against the README for that.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.