Per conversation with @ccaum, switching to a whitelist approach to file permissions and using a default of 0400; overriding it to 0644 when needed.

justinellison · justinellison · commit 579651cad0a9 · 2012-01-04T12:52:28.000-06:00
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -25,19 +25,18 @@
     }
     file{'/root/.my.cnf':
       content => template('mysql/my.cnf.pass.erb'),
-      mode  => '0400',
     }
     if $etc_root_password {
        file{'/etc/my.cnf':
           content => template('mysql/my.cnf.pass.erb'),
           require => Exec['set_mysql_rootpw'],
-          mode  => '0400',
        }
     }
   }
   File {
     owner => 'root',
     group => 'root',
+    mode  => '0400',
     notify  => Exec['mysqld-restart'],
     require => Package['mysql-server']
   }
@@ -52,5 +51,6 @@
 
   file { '/etc/mysql/my.cnf':
     content => template('mysql/my.cnf.erb'),
+    mode    => '0644'
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -25,19 +25,18 @@`
`25`	`25`	`}`
`26`	`26`	`file{'/root/.my.cnf':`
`27`	`27`	`content => template('mysql/my.cnf.pass.erb'),`
`28`		`- mode => '0400',`
`29`	`28`	`}`
`30`	`29`	`if $etc_root_password {`
`31`	`30`	`file{'/etc/my.cnf':`
`32`	`31`	`content => template('mysql/my.cnf.pass.erb'),`
`33`	`32`	`require => Exec['set_mysql_rootpw'],`
`34`		`- mode => '0400',`
`35`	`33`	`}`
`36`	`34`	`}`
`37`	`35`	`}`
`38`	`36`	`File {`
`39`	`37`	`owner => 'root',`
`40`	`38`	`group => 'root',`
	`39`	`+ mode => '0400',`
`41`	`40`	`notify => Exec['mysqld-restart'],`
`42`	`41`	`require => Package['mysql-server']`
`43`	`42`	`}`
`@@ -52,5 +51,6 @@`
`52`	`51`
`53`	`52`	`file { '/etc/mysql/my.cnf':`
`54`	`53`	`content => template('mysql/my.cnf.erb'),`
	`54`	`+ mode => '0644'`
`55`	`55`	`}`
`56`	`56`	`}`