Ticket #748: puppet-0.23.1_Tightened_Config.patch
| File puppet-0.23.1_Tightened_Config.patch, 9.3 kB (added by peiriannydd, 1 year ago) |
|---|
-
lib/puppet/configuration.rb
old new 51 51 syslog. Syslog has a fixed list of valid facilities, and you must 52 52 choose one of those; you cannot just make one up."], 53 53 :statedir => { :default => "$vardir/state", 54 :mode => 01777, 54 :owner => "$user", 55 :group => "$group", 56 :mode => 0750, 55 57 :desc => "The directory where Puppet state is stored. Generally, 56 58 this directory can be removed without causing harm (although it 57 59 might result in spurious service restarts)." 58 60 }, 59 61 :statefile => { :default => "$statedir/state.yaml", 60 :mode => 0660, 62 :owner => "$user", 63 :group => "$group", 64 :mode => 0640, 61 65 :desc => "Where puppetd and puppetmasterd store state associated 62 66 with the running configuration. In the case of puppetmasterd, 63 67 this file reflects the state discovered through interacting … … 65 69 }, 66 70 :ssldir => { 67 71 :default => "$confdir/ssl", 68 :mode => 0 771,72 :mode => 01750, 69 73 :owner => "root", 74 :group => "puppet", 70 75 :desc => "Where SSL certificates are kept." 71 76 }, 72 77 :rundir => { :default => rundir, 73 :mode => 01777, 78 :owner => "$user", 79 :group => "$group", 80 :mode => 0750, 74 81 :desc => "Where Puppet PID files are kept." 75 82 }, 76 83 :genconfig => [false, … … 139 146 :certdir => ["$ssldir/certs", "The certificate directory."], 140 147 :publickeydir => ["$ssldir/public_keys", "The public key directory."], 141 148 :privatekeydir => { :default => "$ssldir/private_keys", 149 :owner => "$user", 150 :group => "$group", 142 151 :mode => 0750, 143 152 :desc => "The private key directory." 144 153 }, 145 154 :privatedir => { :default => "$ssldir/private", 155 :owner => "root", 156 :group => "$group", 146 157 :mode => 0750, 147 158 :desc => "Where the client stores private certificate information." 148 159 }, 149 160 :passfile => { :default => "$privatedir/password", 161 :owner => "root", 162 :group => "root", 150 163 :mode => 0640, 151 164 :desc => "Where puppetd stores the password for its private key. 152 165 Generally unused." 153 166 }, 154 167 :hostcsr => { :default => "$ssldir/csr_$certname.pem", 155 :mode => 0644, 168 :owner => "root", 169 :group => "root", 170 :mode => 0640, 156 171 :desc => "Where individual hosts store and look for their certificates." 157 172 }, 158 173 :hostcert => { :default => "$certdir/$certname.pem", 159 :mode => 0644, 174 :owner => "root", 175 :group => "root", 176 :mode => 0640, 160 177 :desc => "Where individual hosts store and look for their certificates." 161 178 }, 162 179 :hostprivkey => { :default => "$privatekeydir/$certname.pem", 180 :owner => "root", 181 :group => "root", 163 182 :mode => 0600, 164 183 :desc => "Where individual hosts store and look for their private key." 165 184 }, 166 185 :hostpubkey => { :default => "$publickeydir/$certname.pem", 167 :mode => 0644, 186 :owner => "root", 187 :group => "root", 188 :mode => 0640, 168 189 :desc => "Where individual hosts store and look for their public key." 169 190 }, 170 191 :localcacert => { :default => "$certdir/ca.pem", 171 :mode => 0644, 192 :owner => "root", 193 :group => "root", 194 :mode => 0640, 172 195 :desc => "Where each client stores the CA certificate." 173 196 } 174 197 ) … … 177 200 :cadir => { :default => "$ssldir/ca", 178 201 :owner => "$user", 179 202 :group => "$group", 180 :mode => 07 70,203 :mode => 0750, 181 204 :desc => "The root directory for the certificate authority." 182 205 }, 183 206 :cacert => { :default => "$cadir/ca_crt.pem", 184 207 :owner => "$user", 185 208 :group => "$group", 186 :mode => 06 60,209 :mode => 0640, 187 210 :desc => "The CA certificate." 188 211 }, 189 212 :cakey => { :default => "$cadir/ca_key.pem", 190 213 :owner => "$user", 191 214 :group => "$group", 192 :mode => 06 60,215 :mode => 0640, 193 216 :desc => "The CA private key." 194 217 }, 195 218 :capub => { :default => "$cadir/ca_pub.pem", 196 219 :owner => "$user", 197 220 :group => "$group", 221 :mode => 0640, 198 222 :desc => "The CA public key." 199 223 }, 200 224 :cacrl => { :default => "$cadir/ca_crl.pem", 201 225 :owner => "$user", 202 226 :group => "$group", 203 :mode => 06 64,227 :mode => 0640, 204 228 :desc => "The certificate revocation list (CRL) for the CA. Set this to 'none' if you do not want to use a CRL." 205 229 }, 206 230 :caprivatedir => { :default => "$cadir/private", 207 231 :owner => "$user", 208 232 :group => "$group", 209 :mode => 07 70,233 :mode => 0750, 210 234 :desc => "Where the CA stores private certificate information." 211 235 }, 212 236 :csrdir => { :default => "$cadir/requests", 213 237 :owner => "$user", 214 238 :group => "$group", 239 :mode => 0750, 215 240 :desc => "Where the CA stores certificate requests" 216 241 }, 217 242 :signeddir => { :default => "$cadir/signed", 218 243 :owner => "$user", 219 244 :group => "$group", 220 :mode => 07 70,245 :mode => 0750, 221 246 :desc => "Where the CA stores signed certificates." 222 247 }, 223 248 :capass => { :default => "$caprivatedir/ca.pass", 224 249 :owner => "$user", 225 250 :group => "$group", 226 :mode => 06 60,251 :mode => 0600, 227 252 :desc => "Where the CA stores the password for the private key" 228 253 }, 229 254 :serial => { :default => "$cadir/serial", 230 255 :owner => "$user", 231 256 :group => "$group", 257 :mode => 0640, 232 258 :desc => "Where the serial number for certificates is stored." 233 259 }, 234 260 :autosign => { :default => "$confdir/autosign.conf", 235 :mode => 0644, 261 :owner => "$user", 262 :group => "$group", 263 :mode => 0640, 236 264 :desc => "Whether to enable autosign. Valid values are true (which 237 265 autosigns any key request, and is a very bad idea), false (which 238 266 never autosigns any key request), and the path to a file, which … … 250 278 :keylength => [1024, "The bit length of keys."], 251 279 :cert_inventory => { 252 280 :default => "$cadir/inventory.txt", 253 :mode => 064 4,281 :mode => 0640, 254 282 :owner => "$user", 255 283 :group => "$group", 256 284 :desc => "A Complete listing of all certificates" … … 280 308 :masterlog => { :default => "$logdir/puppetmaster.log", 281 309 :owner => "$user", 282 310 :group => "$group", 283 :mode => 06 60,311 :mode => 0640, 284 312 :desc => "Where puppetmasterd logs. This is generally not used, 285 313 since syslog is the default log destination." 286 314 }, 287 315 :masterhttplog => { :default => "$logdir/masterhttp.log", 288 316 :owner => "$user", 289 317 :group => "$group", 290 :mode => 06 60,318 :mode => 0640, 291 319 :create => true, 292 320 :desc => "Where the puppetmasterd web server logs." 293 321 }, … … 319 347 self.setdefaults(:puppetd, 320 348 :localconfig => { :default => "$statedir/localconfig", 321 349 :owner => "root", 322 :mode => 0660, 350 :group => "root", 351 :mode => 0640, 323 352 :desc => "Where puppetd caches the local configuration. An 324 353 extension indicating the cache format is added automatically."}, 325 354 :classfile => { :default => "$statedir/classes.txt", 326 355 :owner => "root", 327 :mode => 0644, 356 :group => "root", 357 :mode => 0640, 328 358 :desc => "The file in which puppetd stores a list of the classes 329 359 associated with the retrieved configuratiion. Can be loaded in 330 360 the separate ``puppet`` executable using the ``--loadclasses`` 331 361 option."}, 332 362 :puppetdlog => { :default => "$logdir/puppetd.log", 333 363 :owner => "root", 364 :group => "root", 334 365 :mode => 0640, 335 366 :desc => "The log file for puppetd. This is generally not used." 336 367 }, 337 368 :httplog => { :default => "$logdir/http.log", 338 369 :owner => "root", 370 :group => "root", 339 371 :mode => 0640, 340 372 :desc => "Where the puppetd web server logs." 341 373 }, … … 366 398 367 399 self.setdefaults(:filebucket, 368 400 :clientbucketdir => { 401 :owner => "$user", 402 :group => "$group", 369 403 :default => "$vardir/clientbucket", 370 404 :mode => 0750, 371 405 :desc => "Where FileBucket files are stored locally."
