Permissions too restrictive on /etc/mysql/my.cnf

[justintime]

Since /etc/mysql/my.cnf contains the [client] section, normal
users need to be able to read that file. We should set 0644
on /etc/mysql/my.cnf, but use 0400 on /etc/my.cnf and
/root/.my.cnf because they contain passwords in plaintext.

I gotta run, and won't be back until Tues Jan 3rd. Let me know if I need to file a bug report -- if anyone wants to save me the trouble, I'd appreciate it :)

[ccaum]

This is unnecessary. You should override the default on the one file you want to be different (/etc/mysql/my.cnf) so just set the mode on that one resource and leave the resource default.

[justintime]

I think the 'default' is a matter of taste here. I see it as more of a "default is 644, but if there's passwords in the file, override the default and make the perms 400". Also, out of the box, the $etc_root_password variable won't be set, so you'll have one file 644, the other 400, making it a 50/50 split.

Certainly not anything I'll spend a lot of energy debating on though :) If after reading this you still would prefer it changed, just let me know and I'll fix it up.

I'm creating the issue on puppetlabs now.

[ccaum]

I'm fine with that, but I'd still prefer to have a file resource default. If we add another file resource I'd prefer to have some reasonable default mode. I guess the question is it better to be open by default or closed. Considering the importance of security in this module, I'd err on the side of being locked down by default.

[justintime]

Works for me - see 579651c

[ccaum]

Definitely file a bug. Set the category to mysql http://projects.puppetlabs.com/projects/modules/issues

[justintime]

Bug filed at: http://projects.puppetlabs.com/issues/11720

[ccaum]

@kbarber Can you give a thumbs up/down?

[branan]

👍 from me on this

[branan]

This change is in b1f90fd