Fix CVE-2016-7404

This commit is a bare-bones stable/mitaka backport of the fix for
CVE-2016-7404. It only retains

* Permissions for /etc/sysconfig/heat-params inside Magnum
  created instances are tightened to 0600 (used to be 0755).

from the original patch. This was done for two reasons:

* Since stable/mitaka only passes tokens (which expire eventually)
  an attacker would have to gain access to the instance within
  a very short time window (the token expiration time).

* Backporting the remaining changes would have required
  backporting the trusts infrastructure that was only
  completed in stable/newton. This would mean a considerable
  change in the stable/mitaka default behaviour.

Please note, that this change does not apply apply to existing
clusters. They will have to be deleted and rebuilt to benefit
from these changes.

(cherry picked from commit 0bb0d6486d)

Change-Id: I329d29cdcce2225f8aa5b57852e6a37d4f8aaa3e

magnum/templates/kubernetes/fragments/write-heat-params-master.yaml

@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
       KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"

magnum/templates/mesos/fragments/write-heat-params.yaml

@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS"
       EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT"

magnum/templates/swarm/fragments/write-heat-params.yaml

@@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append)
 write_files:
   - path: /etc/sysconfig/heat-params
     owner: "root:root"
-    permissions: "0644"
+    permissions: "0600"
     content: |
       WAIT_HANDLE="$WAIT_HANDLE"
       ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"