Reduce permissions for app configuration

silkeh · silkeh · commit 4c88ca06ca83 · 2018-09-24T12:19:11.000+02:00
Having the app configuration world readable may expose the content of
more sensitive environment variables. Remove the 'other' permissions
to mitigate this.
diff --git a/manifests/app.pp b/manifests/app.pp
@@ -43,7 +43,7 @@
     ensure  => $ensure,
     owner   => $uid,
     group   => $gid,
-    mode    => '0644',
+    mode    => '0640',
     content => template($template),
     notify  => Service['uwsgi'],
   }
diff --git a/spec/defines/app_spec.rb b/spec/defines/app_spec.rb
@@ -29,7 +29,7 @@
                   'ensure' => 'present',
                   'owner' => 'test',
                   'group' => 'test',
-                  'mode' => '0644'
+                  'mode' => '0640'
                 )
             end
           else
@@ -39,7 +39,7 @@
                   'ensure' => 'present',
                   'owner' => 'test',
                   'group' => 'test',
-                  'mode' => '0644'
+                  'mode' => '0640'
                 )
             end
           end
@@ -50,7 +50,7 @@
                 'ensure' => 'present',
                 'owner' => 'test',
                 'group' => 'test',
-                'mode' => '0644'
+                'mode' => '0640'
               )
           end
         end

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@`
`43`	`43`	`ensure => $ensure,`
`44`	`44`	`owner => $uid,`
`45`	`45`	`group => $gid,`
`46`		`- mode => '0644',`
	`46`	`+ mode => '0640',`
`47`	`47`	`content => template($template),`
`48`	`48`	`notify => Service['uwsgi'],`
`49`	`49`	`}`