From b22c3e38fe751051385392caa7c3957c5f475f5c Mon Sep 17 00:00:00 2001 From: Daniel Miranda Date: Fri, 25 Nov 2016 17:45:27 -0200 Subject: [PATCH] Fix Redis sentinel configuration file permissions The Sentinel config file contains the Redis password, and therefore, cannot be publicly readable. Also ensure files have the redis group set. --- tasks/sentinel.yml | 3 +++ tasks/server.yml | 1 + 2 files changed, 4 insertions(+) diff --git a/tasks/sentinel.yml b/tasks/sentinel.yml index 03478426..88a7fc94 100644 --- a/tasks/sentinel.yml +++ b/tasks/sentinel.yml @@ -97,6 +97,7 @@ src: redis_sentinel.conf.j2 dest: /etc/redis/sentinel_{{ redis_sentinel_port }}.conf owner: "{{ redis_user }}" + group: "{{ redis_group }}" mode: 0640 notify: restart sentinel @@ -104,6 +105,7 @@ template: dest: /etc/sysconfig/sentinel_{{ redis_sentinel_port }} src: redis.init.conf.j2 + mode: 0600 when: ansible_os_family == "RedHat" notify: restart sentinel @@ -111,6 +113,7 @@ template: dest: /etc/default/sentinel_{{ redis_sentinel_port }} src: redis.init.conf.j2 + mode: 0600 when: ansible_os_family == "Debian" notify: restart sentinel diff --git a/tasks/server.yml b/tasks/server.yml index a01ff799..a7762454 100644 --- a/tasks/server.yml +++ b/tasks/server.yml @@ -97,6 +97,7 @@ src: redis.conf.j2 dest: /etc/redis/{{ redis_port }}.conf owner: "{{ redis_user }}" + group: "{{ redis_group }}" mode: 0640 notify: restart redis