From d6a8e9f062bc0b1d3fdfdb78afdc29a3a908308b Mon Sep 17 00:00:00 2001
From: Bernhard M. Wiedemann <bwiedemann@suse.de>
Date: Feb 19 2022 02:48:33 +0000
Subject: Restrict permissions on pagure configs


to not leak the database password to every process on the machine

---

diff --git a/salt/profile/pagure/init.sls b/salt/profile/pagure/init.sls
index c91d13c..bfbeb43 100644
--- a/salt/profile/pagure/init.sls
+++ b/salt/profile/pagure/init.sls
@@ -21,6 +21,8 @@ pagure_conf:
     - name: /etc/pagure/pagure.cfg
     - source: salt://profile/pagure/files/pagure.cfg
     - template: jinja
+    - group: git
+    - mode: '0640'
     - require_in:
       - service: pagure_web_service
     - watch_in:
@@ -40,6 +42,8 @@ pagure_alembic_conf:
     - name: /etc/pagure/alembic.ini
     - source: salt://profile/pagure/files/alembic.ini
     - template: jinja
+    - group: git
+    - mode: '0640'
     - require_in:
       - service: pagure_web_service
     - watch_in: