Security: plugin-config should not me world readable as it might contain passwords

diff --git a/manifests/plugin.pp b/manifests/plugin.pp
index e9e5dba..36fc81b 100644 (file)
--- a/manifests/plugin.pp
+++ b/manifests/plugin.pp
@@ -47,7 +47,7 @@ define munin::plugin (
             content => "[${name}]\n${config}\n",
             owner   => root,
             group   => 0,
-            mode    => '0644',
+            mode    => '0640',
           }
         }
       }

diff --git a/manifests/plugins/setup.pp b/manifests/plugins/setup.pp
index caf2e28..5c56099 100644 (file)
--- a/manifests/plugins/setup.pp
+++ b/manifests/plugins/setup.pp
@@ -1,15 +1,22 @@
 class munin::plugins::setup {
   file {
     [ '/etc/munin/plugins', '/etc/munin/plugin-conf.d' ]:
-      ignore => 'snmp_*',
-      ensure => directory, checksum => mtime,
-      recurse => true, purge => true, force => true,
-      mode => 0755, owner => root, group => 0,
-      notify => Service['munin-node'];
+      ignore    => 'snmp_*',
+      ensure    => directory,
+      checksum  => mtime,
+      recurse  => true,
+      purge     => true,
+      force     => true,
+      notify    => Service['munin-node'],
+      owner     => root,
+      group     => 0,
+      mode      => '0755';
     '/etc/munin/plugin-conf.d/munin-node':
-      ensure => present,
-      mode => 0644, owner => root, group => 0,
-      notify => Service['munin-node'],
+      ensure    => present,
+      notify    => Service['munin-node'],
+      owner     => root,
+      group     => 0,
+      mode      => '0640';
   }
   case $::kernel {
     openbsd: {