Allow change of file mode for generated files

[hoggle64]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.10.4
• Ruby: 1.8.7
• Distribution: Redhat 6.9
• Module version: 2.0.0

We need to fix security issues reported by OpenScap. One of those issues points out that the permissions of files which were installed by a RPM should always stay the same.
This module changes the permissions of:

• /etc/cron.daily/logrotate
• /etc/logrotate.conf
  though.

What are you seeing

Permission are getting changed during the Puppet run:

Notice: /Stage[main]/Logrotate::Config/Logrotate::Cron[daily]/File[/etc/cron.daily/logrotate]/mode: mode changed '0700' to '0555'
Notice: /Stage[main]/Logrotate::Defaults/Logrotate::Conf[/etc/logrotate.conf]/File[/etc/logrotate.conf]/mode: mode changed '0644' to '0444'

What behaviour did you expect instead

No mode change of files which were delivered by a RPM package.

[juniorsysadmin]

Fix would require adding file mode parameters to cron defined type, and also a parameter somewhere else to change mode for /etc/logrotate.conf

[hoggle64]

Sorry - I disagree.

The mode for /etc/logrotate.conf ist explicitly set inside conf.pp:
file { $name: ensure => $ensure, owner => $logrotate::root_user, group => $logrotate::root_group, mode => '0444', content => template('logrotate/etc/logrotate.conf.erb'), require => Package['logrotate'], }
Setting the file mode at this point makes no sense.

...Fix would require adding file mode parameters to cron defined type...

If I switch it of with
logrotate::manage_cron_daily: false
this problem is gone.

[juniorsysadmin]

@hoggle64 Miscommunication on my part here. My comment was outlining potential code in a new Pull Request that would be needed to fix your problem.

[hoggle64]

o.k. - thanks for the update

[TJM]

+1 - We are also being dinged for OpenSCAP (security scan)

It would be nice, if these parameters were added, if they matched the RPM permissions by default :)

# rpm -V logrotate
SM5....T.  c /etc/cron.daily/logrotate
SM5....T.  c /etc/logrotate.conf
# ls -l /etc/logrotate.conf /etc/cron.daily/logrotate
-r-xr-xr-x. 1 root root 313 Mar 16 16:01 /etc/cron.daily/logrotate
-r--r--r--. 1 root root 175 Mar 16 16:01 /etc/logrotate.conf
# rpm -qlv logrotate | head -2
-rwx------    1 root    root                      219 Jan 24  2017 /etc/cron.daily/logrotate
-rw-r--r--    1 root    root                      662 Jul 31  2013 /etc/logrotate.conf

[bastelfreak]

@TJM could you provide a fix for that?

[TJM]

@bastelfreak would it be wrong to convert to module hiera data to add this feature? :-/