Fix config permissions

The default permissions were too strict. We didn't want the config files writeable by PowerDNS becuase it's not necessary for operation but they need to be readable x.x This splits the difference by not making them world readable but making the pdns user the group. This might be a touch too far and we may want to 644 and make the user and group that set by the resource. Feedback welcome. Signed-off-by: David Aronsohn <WagThatTail@Me.com>
dnsimple · Mar 1, 2018 · 4e901a4 · 4e901a4
1 parent 6b80d46
commit 4e901a4
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 16 deletions.
diff --git a/resources/authoritative_config.rb b/resources/authoritative_config.rb
@@ -48,13 +48,6 @@
 property :variables, Hash, default: lazy { |resource| { bind_config: "#{resource.config_dir}/bindbackend.conf" } }
 
 action :create do
-  directory new_resource.config_dir do
-    owner 'root'
-    group 'root'
-    mode '0755'
-    action :create
-  end
-
   user new_resource.run_user do
     home new_resource.run_user_home
     shell new_resource.run_user_shell
@@ -80,11 +73,18 @@
     action :create
   end
 
+  directory new_resource.config_dir do
+    owner 'root'
+    group new_resource.run_group
+    mode '0750'
+    action :create
+  end
+
   template "#{new_resource.config_dir}/#{authoritative_instance_config(new_resource.instance_name)}" do
     source new_resource.source
     cookbook new_resource.cookbook
     owner 'root'
-    group 'root'
+    group new_resource.run_group
     mode '0640'
     variables(
       launch: new_resource.launch,

diff --git a/resources/recursor_config.rb b/resources/recursor_config.rb
@@ -47,13 +47,6 @@
 property :variables, Hash, default: {}
 
 action :create do
-  directory new_resource.config_dir do
-    owner 'root'
-    group 'root'
-    mode '0755'
-    action :create
-  end
-
   user new_resource.run_user do
     home new_resource.run_user_home
     shell new_resource.run_user_shell
@@ -79,11 +72,18 @@
     action :create
   end
 
+  directory new_resource.config_dir do
+    owner 'root'
+    group new_resource.run_group
+    mode '0750'
+    action :create
+  end
+
   template "#{new_resource.config_dir}/#{recursor_instance_config(new_resource.instance_name)}" do
     source new_resource.source
     cookbook new_resource.cookbook
     owner 'root'
-    group 'root'
+    group new_resource.run_group
     mode '0640'
     variables(
       socket_dir: new_resource.socket_dir,