Restrict access to the frontend config

[baszoetekouw]

SUMMARY

Restrict access to the web frontend config file /etc/zabbix/web/zabbix.conf.php.
The file contains passwords, so should not be publicly readable. Also fix the owner for the case that the fpm user differs from the www user.

ISSUE TYPE

• Bugfix Pull Request

COMPONENT NAME

zabbix_web

ADDITIONAL INFORMATION

Currently, the config file gets these permissions:

-rw-r--r--  1 www-data www-data 756 Mar 27 20:38 /etc/zabbix/web/zabbix.conf.php

This is undesired, as the file contains the database password. Also, the owner/group are wrong in the case that the zabbix_php_fpm_conf_user differs from zabbix_web_user.

This patch restricts the (default) permissions to 0640, changes the owner to zabbix_web_user (or zabbix_php_fpm_conf_user if it is defined) and the group to zabbix_web_group (or zabbix_php_fpm_conf_group if it is defined).

[eb4x]

Good catch on the permissions!

This change is so good, I think you should simplify their names and promote those variables to defaults/main.yml. It's a very common use-case to have different php users, esp. in shared environments. (or at least it was a common use-case, probably less so with virt and containers these days, but still...)

zabbix_web_php_user: "{{ zabbix_web_user }}"
zabbix_web_php_group: "{{ zabbix_web_group }}"

And also if you could just add those vars to the docs/ZABBIX_WEB_ROLE.md with short explanation for their use case pretty please 😸

[eb4x]

Apparently I missed the part where we actually had a zabbix_php_fpm_conf_*, so just promote those to defaults/main.yml (and set the values to the corresponding zabbix_web_{user,group})

[pyrodie18]

Also need to update ./molecule/zabbix_web/tests/test_default.py to the new mode or the tests will never pass.