Restrict PostgreSQL configuration rights, Refs #39445

888f59ad · Baptiste DE RENZO · 4757aa48 · 888f59ad · 888f59ad · 888f59ad
Commit 888f59ad authored 8 months ago by Baptiste DE RENZO
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@

 * Remove `admin` and `ubicast` system user shell password definition in the `system/user` role.  
 Associated variables are `sysuser_admin_password` and `sysuser_ubicast_password`.
+* Restrict PostgreSQL configuration files and directory rights.

 # 2024-07-01


--- a/roles/nudgis/postgres/tasks/configure.yml
+++ b/roles/nudgis/postgres/tasks/configure.yml
@@ -17,6 +17,9 @@
 - name: "CREATE POSTGRESQL DATABASES"
  ansible.builtin.include_tasks: "configure/databases.yml"

+- name: "RESTRICT POSTGRESQSL CONFIGURATION RIGHTS"
+  ansible.builtin.include_tasks: "configure/configuration-rights.yml"
+
 # Flush to restart postgresql in time for HA deployment
 - name: "Flush handlers"
  ansible.builtin.meta: flush_handlers

--- a/roles/nudgis/postgres/tasks/configure/authentication.yml
+++ b/roles/nudgis/postgres/tasks/configure/authentication.yml
@@ -7,7 +7,7 @@
    dest: "{{ database_conf_dir }}/pg_hba.conf"
    owner: postgres
    group: postgres
-    mode: "0640"
+    mode: "0600"
    backup: true

 ...
--- a/roles/nudgis/postgres/tasks/configure/configuration-rights.yml
+++ b/roles/nudgis/postgres/tasks/configure/configuration-rights.yml
+---
+
+# See RM#39445
+
+- name: "Find all postgresql *.conf files"
+  ansible.builtin.find:
+    paths: "{{ database_conf_dir }}"
+    patterns: "*.conf"
+  register: postgresql_conf_files
+
+- name: "Restrict postgresql *.conf files rights"
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    mode: '600'
+  loop: "{{ postgresql_conf_files.files }}"
+  loop_control:
+    label: "{{ item.path }}"
+
+- name: "Restrict postgresql directory rights"
+  ansible.builtin.file:
+    path: "{{ database_conf_dir }}"
+    mode: '700'
+
+...
--- a/roles/nudgis/postgres_ha/tasks/base/rephacheck.yml
+++ b/roles/nudgis/postgres_ha/tasks/base/rephacheck.yml
@@ -17,7 +17,7 @@
    dest: /etc/postgresql/{{ repmgr_database_version }}/{{ repmgr_database_cluster }}/rephacheck.conf
    owner: postgres
    group: postgres
-    mode: "0644"
+    mode: "0600"

 - name: "Configure rephacheck socket"
  notify:

--- a/roles/nudgis/postgres_ha/tasks/base/repmgr.yml
+++ b/roles/nudgis/postgres_ha/tasks/base/repmgr.yml
@@ -7,7 +7,7 @@
    dest: "{{ repmgr_conf_file }}"
    owner: postgres
    group: postgres
-    mode: "644"
+    mode: "600"

 - name: "Configure debian default"
  notify: "Restart repmgrd"