puppet: Match the x bits on directories to what puppet actually does.

Puppet _always_ sets the `+x` bit on directories if they have the `r` bit set for that slot[^1]: > When specifying numeric permissions for directories, Puppet sets the > search permission wherever the read permission is set. As such, for instance, `0640` is actually applied as `0750`. Fix what we "want" to match what puppet is applying, by adding the `x` bit. In none of these cases did we actually intend the directory to not be executable. [1] https://www.puppet.com/docs/puppet/5.5/types/file.html#file-attribute-mode
2025-11-09 08:26:11 +00:00 · 2023-01-26 22:26:51 +00:00
parent 372bba4a8e
commit e8123dfeea
9 changed files with 15 additions and 15 deletions
--- a/puppet/zulip/manifests/app_frontend_base.pp
+++ b/puppet/zulip/manifests/app_frontend_base.pp
@@ -199,7 +199,7 @@ class zulip::app_frontend_base {
    ensure => directory,
    owner  => 'zulip',
    group  => 'zulip',
-    mode   => '0640',
+    mode   => '0750',
  }

  file { "${zulip::common::nagios_plugins_dir}/zulip_app_frontend":
--- a/puppet/zulip/manifests/nginx.pp
+++ b/puppet/zulip/manifests/nginx.pp
@@ -73,7 +73,7 @@ class zulip::nginx {
    ensure => directory,
    owner  => 'zulip',
    group  => 'adm',
-    mode   => '0650',
+    mode   => '0750',
  }
  file { '/etc/logrotate.d/nginx':
    ensure  => file,
@@ -90,7 +90,7 @@ class zulip::nginx {
    ensure => directory,
    owner  => 'zulip',
    group  => 'adm',
-    mode   => '0660',
+    mode   => '0770',
  }

  service { 'nginx':
--- a/puppet/zulip/manifests/postgresql_common.pp
+++ b/puppet/zulip/manifests/postgresql_common.pp
@@ -44,7 +44,7 @@ class zulip::postgresql_common {
      # allows ssl-cert group to read /etc/pki/tls/private
      file { '/etc/pki/tls/private':
        ensure => directory,
-        mode   => '0640',
+        mode   => '0750',
        owner  => 'root',
        group  => 'ssl-cert',
      }
--- a/puppet/zulip/manifests/profile/base.pp
+++ b/puppet/zulip/manifests/profile/base.pp
@@ -79,7 +79,7 @@ class zulip::profile::base {

  file { '/etc/zulip':
    ensure => directory,
-    mode   => '0644',
+    mode   => '0755',
    owner  => 'zulip',
    group  => 'zulip',
    links  => follow,
@@ -117,14 +117,14 @@ class zulip::profile::base {
  file { '/var/lib/nagios_state/':
    ensure => directory,
    group  => 'zulip',
-    mode   => '0774',
+    mode   => '0775',
  }

  file { '/var/log/zulip':
    ensure => directory,
    owner  => 'zulip',
    group  => 'zulip',
-    mode   => '0640',
+    mode   => '0750',
  }

  file { "${zulip::common::nagios_plugins_dir}/zulip_base":
--- a/puppet/zulip_ops/manifests/apache.pp
+++ b/puppet/zulip_ops/manifests/apache.pp
@@ -19,7 +19,7 @@ class zulip_ops::apache {
    require => Package['apache2'],
    owner   => 'root',
    group   => 'root',
-    mode    => '0644',
+    mode    => '0755',
  }

  file { '/etc/apache2/ports.conf':
@@ -37,6 +37,6 @@ class zulip_ops::apache {
    require => Package[apache2],
    owner   => 'root',
    group   => 'root',
-    mode    => '0640',
+    mode    => '0750',
  }
 }
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@@ -64,7 +64,7 @@ class zulip_ops::profile::base {
    require => User['zulip'],
    owner   => 'zulip',
    group   => 'zulip',
-    mode    => '0600',
+    mode    => '0700',
  }

  # Clear /etc/update-motd.d, to fix load problems with Nagios
@@ -170,14 +170,14 @@ class zulip_ops::profile::base {
    require => User['nagios'],
    owner   => 'nagios',
    group   => 'nagios',
-    mode    => '0600',
+    mode    => '0700',
  }
  file { '/var/lib/nagios/.ssh':
    ensure  => directory,
    require => File['/var/lib/nagios/'],
    owner   => 'nagios',
    group   => 'nagios',
-    mode    => '0600',
+    mode    => '0700',
  }
  file { '/home/nagios':
    ensure  => absent,
--- a/puppet/zulip_ops/manifests/profile/grafana.pp
+++ b/puppet/zulip_ops/manifests/profile/grafana.pp
@@ -60,7 +60,7 @@ class zulip_ops::profile::grafana {
    ensure => directory,
    owner  => 'root',
    group  => 'root',
-    mode   => '0644',
+    mode   => '0755',
  }
  file { '/etc/grafana/grafana.ini':
    ensure => file,
--- a/puppet/zulip_ops/manifests/profile/prometheus_server.pp
+++ b/puppet/zulip_ops/manifests/profile/prometheus_server.pp
@@ -32,7 +32,7 @@ class zulip_ops::profile::prometheus_server {
    ensure => directory,
    owner  => 'root',
    group  => 'root',
-    mode   => '0644',
+    mode   => '0755',
  }
  file { '/etc/prometheus/prometheus.yaml':
    ensure => file,
--- a/puppet/zulip_ops/manifests/profile/zmirror_personals.pp
+++ b/puppet/zulip_ops/manifests/profile/zmirror_personals.pp
@@ -30,7 +30,7 @@ class zulip_ops::profile::zmirror_personals {
  file { ['/home/zulip/api-keys', '/home/zulip/zephyr_sessions', '/home/zulip/ccache',
          '/home/zulip/mirror_status']:
    ensure => directory,
-    mode   => '0644',
+    mode   => '0755',
    owner  => 'zulip',
    group  => 'zulip',
  }