launchpad-reviewers team mailing list archive

["Jeroen T. Vermeulen" <jtv@xxxxxxxxxxxxx>]

Jeroen T. Vermeulen has proposed merging lp:~jtv/maas/pkg-bug-1060095 into lp:~maas-maintainers/maas/packaging.

Commit message:
Make maas_local_settings readable only to root & maas.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #1060095 in MAAS: "Database password in maas_local_settings.py is world-readable"
  https://bugs.launchpad.net/maas/+bug/1060095

For more details, see:
https://code.launchpad.net/~jtv/maas/pkg-bug-1060095/+merge/127451

As discussed with Raphael.  This file should be private.  Only the installation process has legitimate reason to write to it, and root aside, only maas has a legitimate reason to read from it.


Jeroen
-- 
https://code.launchpad.net/~jtv/maas/pkg-bug-1060095/+merge/127451
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~jtv/maas/pkg-bug-1060095 into lp:~maas-maintainers/maas/packaging.

=== modified file 'debian/maas-region-controller.postinst'
--- debian/maas-region-controller.postinst	2012-10-01 10:35:56 +0000
+++ debian/maas-region-controller.postinst	2012-10-02 10:25:25 +0000
@@ -137,10 +137,14 @@
 	mkdir -p /var/lib/maas/media/storage
 	chown -R maas:maas /var/lib/maas/
 
-	# Local celery config may contain credentials, so should be readable
+	# Config will contain credentials, so should be readable
 	# by the application but nobody else.
-	chown root:maas /etc/maas/maas_local_celeryconfig.py
-	chmod 0640 /etc/maas/maas_local_celeryconfig.py
+	chown root:maas \
+		/etc/maas/maas_local_celeryconfig.py \
+		/etc/maas/maas_local_settings
+	chmod 0640 \
+		/etc/maas/maas_local_celeryconfig.py \
+		/etc/maas/maas_local_settings
 
 	#########################################################
 	################  Configure Apache2  ####################