From b9a5c7b5b54badfea57bb4849639ff1be472cac5 Mon Sep 17 00:00:00 2001
From: David Aronsohn <WagThatTail@Me.com>
Date: Thu, 1 Mar 2018 14:14:26 -0800
Subject: [PATCH] Fix config permissions

The default permissions were too strict. We didn't want the config files
writeable by PowerDNS becuase it's not necessary for operation but they
need to be readable x.x

This splits the difference by not making them world readable but making
the pdns user the group.

This might be a touch too far and we may want to 644 and make the user
and group that set by the resource. Feedback welcome.

Signed-off-by: David Aronsohn <WagThatTail@Me.com>
---
 resources/authoritative_config.rb | 16 ++++++++--------
 resources/recursor_config.rb      | 16 ++++++++--------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/resources/authoritative_config.rb b/resources/authoritative_config.rb
index 40bfa86d..915d301f 100644
--- a/resources/authoritative_config.rb
+++ b/resources/authoritative_config.rb
@@ -48,13 +48,6 @@
 property :variables, Hash, default: lazy { |resource| { bind_config: "#{resource.config_dir}/bindbackend.conf" } }
 
 action :create do
-  directory new_resource.config_dir do
-    owner 'root'
-    group 'root'
-    mode '0755'
-    action :create
-  end
-
   user new_resource.run_user do
     home new_resource.run_user_home
     shell new_resource.run_user_shell
@@ -80,11 +73,18 @@
     action :create
   end
 
+  directory new_resource.config_dir do
+    owner 'root'
+    group new_resource.run_group
+    mode '0750'
+    action :create
+  end
+
   template "#{new_resource.config_dir}/#{authoritative_instance_config(new_resource.instance_name)}" do
     source new_resource.source
     cookbook new_resource.cookbook
     owner 'root'
-    group 'root'
+    group new_resource.run_group
     mode '0640'
     variables(
       launch: new_resource.launch,
diff --git a/resources/recursor_config.rb b/resources/recursor_config.rb
index a3ad71e6..c97bedd1 100644
--- a/resources/recursor_config.rb
+++ b/resources/recursor_config.rb
@@ -47,13 +47,6 @@
 property :variables, Hash, default: {}
 
 action :create do
-  directory new_resource.config_dir do
-    owner 'root'
-    group 'root'
-    mode '0755'
-    action :create
-  end
-
   user new_resource.run_user do
     home new_resource.run_user_home
     shell new_resource.run_user_shell
@@ -79,11 +72,18 @@
     action :create
   end
 
+  directory new_resource.config_dir do
+    owner 'root'
+    group new_resource.run_group
+    mode '0750'
+    action :create
+  end
+
   template "#{new_resource.config_dir}/#{recursor_instance_config(new_resource.instance_name)}" do
     source new_resource.source
     cookbook new_resource.cookbook
     owner 'root'
-    group 'root'
+    group new_resource.run_group
     mode '0640'
     variables(
       socket_dir: new_resource.socket_dir,