PR#2474: stricter config file permissions - koji

koji

#2474 stricter config file permissions

Merged 3 years ago by tkopecek. Opened 3 years ago by tkopecek.

tkopecek/koji issue2124 into master

stricter config file permissions

Tomas Kopecek • 3 years ago

e72a7be

docs/source/server_howto.rst

file modified

+20 -1

		`@@ -648,6 +648,7 @@`
		`-------------------`

		* ``/etc/koji-hub/hub.conf``
		+ * ``/etc/koji-hub/hub.conf.d/*``
		* ``/etc/httpd/conf/httpd.conf``
		* ``/etc/httpd/conf.d/kojihub.conf``
		* ``/etc/httpd/conf.d/ssl.conf`` (when using ssl auth)
		`@@ -766,6 +767,16 @@`

		`root@localhost$ setsebool -P httpd_can_network_connect_db=1`

		`+ Note, that database connection parameters (password) are sensitive values.`
		`+ Config is installed by default with 0640 root/apache file permissions. If you're`
		`+ not installing hub from rpm double-check these permissions.`
		`+`
		+ Furthermore, you can install any config file in ``/etc/koji-hub/hub.conf.d``
		`+ directory. These files are read at first and main config is allowed to`
		`+ override all these values. So, you can use e.g.`
		+ ``/etc/koji-hub/hub.conf.d/secret.conf`` for sensitive values. Typical usecase
		+ for separate config is :doc:`policy <defining_hub_policies>` configuration file.
		`+`
		`Authentication Configuration`
		`----------------------------`

		`@@ -914,6 +925,7 @@`
		* ``/etc/httpd/conf.d/kojiweb.conf``
		* ``/etc/httpd/conf.d/ssl.conf``
		* ``/etc/kojiweb/web.conf``
		+ * ``/etc/kojiweb/web.conf.d/*``

		`Install Koji-Web`
		`----------------`
		`@@ -973,7 +985,14 @@`
		`You will also need to tell kojiweb where it can find the SSL certificates for`
		`each of these components. If you are using SSL authentication, the "WebCert"`
		`line below must contain both the public and private key. You will also want`
		`- to change the last line in the example below to a unique password.`
		`+ to change the last line in the example below to a unique password. Also check`
		`+ the file permissions (due to Secret value) if you're not installing koji web`
		`+ from rpm (0640, root/apache by default).`
		`+`
		+ Furthermore, you can install any config file in ``/etc/kojiweb/web.conf.d``
		`+ directory. These files are read at first and main config is allowed to`
		`+ override all these values. So, you can use e.g.`
		+ ``/etc/kojiweb/web.conf.d/secret.conf`` for sensitive values.

		`::`

hub/hub.conf

file modified

		`@@ -11,6 +11,7 @@`
		`DBUser = koji`
		`#DBHost = db.example.com`
		`#DBPort = 5432`
		`+ #Note, that db password is sensitive and this file shouldn't be publicly readable.`
		`#DBPass = example_password`
		`KojiDir = /mnt/koji`

koji.spec

file modified

+2 -2

		`@@ -500,9 +500,9 @@`

		`%if 0%{py3_support} > 1`
		`%files hub`
		`- %config(noreplace) /etc/httpd/conf.d/kojihub.conf`
		`+ %config(noreplace) %attr(0640, root, apache) /etc/httpd/conf.d/kojihub.conf`
		`%dir /etc/koji-hub`
		`- %config(noreplace) /etc/koji-hub/hub.conf`
		`+ %config(noreplace) %attr(0640, root, apache) /etc/koji-hub/hub.conf`
		`%dir /etc/koji-hub/hub.conf.d`
		`%{_sbindir}/koji-sweep-db`
		`%if %{use_systemd}`

www/conf/web.conf

file modified

+1 -1

		`@@ -21,7 +21,7 @@`

		`LoginTimeout = 72`

		`- # This must be changed and uncommented before deployment`
		`+ # This must be CHANGED to random value and uncommented before deployment`
		`# Secret = CHANGE_ME`

		`LibPath = /usr/share/koji-web/lib`