From b90230997c2b39e84fbae1888acfe6315efb6109 Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jan@dittberner.info>
Date: Sun, 25 Sep 2016 17:27:42 +0200
Subject: [PATCH] Protect /etc/salt/grains

Make sure that the permissions of /etc/salt/grains only allow access for the
root user.
---
 bootstrap.sh.tmpl    | 1 +
 states/base/init.sls | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/bootstrap.sh.tmpl b/bootstrap.sh.tmpl
index 5a4245e..979bcfa 100755
--- a/bootstrap.sh.tmpl
+++ b/bootstrap.sh.tmpl
@@ -30,6 +30,7 @@ pillar_roots:
 log_file: file:///dev/log
 EOF
 
+umask 077
 cat >/etc/salt/grains <<EOF
 roles:
 # TODO: fill real roles
diff --git a/states/base/init.sls b/states/base/init.sls
index 15ec54f..1b665e9 100644
--- a/states/base/init.sls
+++ b/states/base/init.sls
@@ -11,6 +11,13 @@ base-packages:
       - git
       - locales-all
 
+/etc/salt/grains:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0600
+    - replace: False
+
 /home/vagrant/.screenrc:
   file.managed:
     - user: vagrant