Tighten permissions on Etherpad settings file

The file in which our Etherpad settings reside is templated with sensitive data like an API key and DB password. Remove the world readable bit from it, and also drop user/group write perms while we're at it. Also switch the service's effective GID to match its UID and make sure the config's ownership is set accordingly. Change-Id: I65b70237b4bc8f4e63aa0b717702c124e01ed777
2024-05-01 16:26:39 +00:00 · 2024-05-01 16:26:39 +00:00 · f75191dbd4
parent f6a131ebc0
commit f75191dbd4
2 changed files with 5 additions and 0 deletions
--- a/playbooks/roles/etherpad/tasks/main.yaml
+++ b/playbooks/roles/etherpad/tasks/main.yaml
@ -89,6 +89,9 @@
  template:
    src: settings.json.j2
    dest: /etc/etherpad/settings.json
+    owner: 5001
+    group: 5001
+    mode: '0440'

 - name: Clean up from old ep_headings hack
  file:
--- a/zuul.d/docker-images/etherpad.yaml
+++ b/zuul.d/docker-images/etherpad.yaml
@ -9,6 +9,8 @@
        - context: docker/etherpad
          target: production
          repository: opendevorg/etherpad
+          build_args:
+            - EP_GID=5001
    files: &etherpad_files
      - docker/etherpad/