#2474 stricter config file permissions
Merged 2 years ago by tkopecek. Opened 2 years ago by tkopecek.
tkopecek/koji issue2124  into  master

file modified
+20 -1
@@ -648,6 +648,7 @@ 

  -------------------

  

  * ``/etc/koji-hub/hub.conf``

+ * ``/etc/koji-hub/hub.conf.d/*``

  * ``/etc/httpd/conf/httpd.conf``

  * ``/etc/httpd/conf.d/kojihub.conf``

  * ``/etc/httpd/conf.d/ssl.conf`` (when using ssl auth)
@@ -766,6 +767,16 @@ 

  

      root@localhost$ setsebool -P httpd_can_network_connect_db=1

  

+ Note, that database connection parameters (password) are sensitive values.

+ Config is installed by default with 0640 root/apache file permissions. If you're

+ not installing hub from rpm double-check these permissions.

+ 

+ Furthermore, you can install any config file in ``/etc/koji-hub/hub.conf.d``

+ directory. These files are read *at first* and main config is allowed to

+ override all these values. So, you can use e.g.

+ ``/etc/koji-hub/hub.conf.d/secret.conf`` for sensitive values. Typical usecase

+ for separate config is :doc:`policy <defining_hub_policies>` configuration file.

+ 

  Authentication Configuration

  ----------------------------

  
@@ -914,6 +925,7 @@ 

  * ``/etc/httpd/conf.d/kojiweb.conf``

  * ``/etc/httpd/conf.d/ssl.conf``

  * ``/etc/kojiweb/web.conf``

+ * ``/etc/kojiweb/web.conf.d/*``

  

  Install Koji-Web

  ----------------
@@ -973,7 +985,14 @@ 

  You will also need to tell kojiweb where it can find the SSL certificates for

  each of these components. If you are using SSL authentication, the "WebCert"

  line below must contain both the public **and** private key. You will also want

- to change the last line in the example below to a unique password.

+ to change the last line in the example below to a unique password. Also check

+ the file permissions (due to Secret value) if you're not installing koji web

+ from rpm (0640, root/apache by default).

+ 

+ Furthermore, you can install any config file in ``/etc/kojiweb/web.conf.d``

+ directory. These files are read *at first* and main config is allowed to

+ override all these values. So, you can use e.g.

+ ``/etc/kojiweb/web.conf.d/secret.conf`` for sensitive values.

  

  ::

  

file modified
+1
@@ -11,6 +11,7 @@ 

  DBUser = koji

  #DBHost = db.example.com

  #DBPort = 5432

+ #Note, that db password is sensitive and this file shouldn't be publicly readable.

  #DBPass = example_password

  KojiDir = /mnt/koji

  

file modified
+2 -2
@@ -500,9 +500,9 @@ 

  

  %if 0%{py3_support} > 1

  %files hub

- %config(noreplace) /etc/httpd/conf.d/kojihub.conf

+ %config(noreplace) %attr(0640, root, apache) /etc/httpd/conf.d/kojihub.conf

  %dir /etc/koji-hub

- %config(noreplace) /etc/koji-hub/hub.conf

+ %config(noreplace) %attr(0640, root, apache) /etc/koji-hub/hub.conf

  %dir /etc/koji-hub/hub.conf.d

  %{_sbindir}/koji-sweep-db

  %if %{use_systemd}

file modified
+1 -1
@@ -21,7 +21,7 @@ 

  

  LoginTimeout = 72

  

- # This must be changed and uncommented before deployment

+ # This must be CHANGED to random value and uncommented before deployment

  # Secret = CHANGE_ME

  

  LibPath = /usr/share/koji-web/lib