Commit 92de5f30 authored by Teemu Matilainen's avatar Teemu Matilainen Committed by Bryan McLellan
Browse files

[CHEF-3413] Protect secret files created by bootstrap templates

Set /etc/chef/validation.pem and /etc/chef/encrypted_data_bag_secret
only readable by root.
parent c823e49f
......@@ -17,6 +17,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
......@@ -26,6 +27,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
......
......@@ -30,6 +30,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
......@@ -39,6 +40,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
......
......@@ -32,7 +32,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
......@@ -42,6 +42,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
......
......@@ -17,6 +17,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
......@@ -26,6 +27,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
......
......@@ -17,6 +17,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
......@@ -26,6 +27,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
......
......@@ -24,6 +24,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
......@@ -33,6 +34,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
......
......@@ -19,6 +19,7 @@ EOP
) > /tmp/validation.pem
awk NF /tmp/validation.pem > /etc/chef/validation.pem
rm /tmp/validation.pem
chmod 0600 /etc/chef/validation.pem
<% if @chef_config[:encrypted_data_bag_secret] -%>
(
......@@ -28,6 +29,7 @@ EOP
) > /tmp/encrypted_data_bag_secret
awk NF /tmp/encrypted_data_bag_secret > /etc/chef/encrypted_data_bag_secret
rm /tmp/encrypted_data_bag_secret
chmod 0600 /etc/chef/encrypted_data_bag_secret
<% end -%>
<%# Generate Ohai Hints -%>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment