Fix ansible-lint risky-file-permissions with explicit modes#6930
Open
millerdev wants to merge 11 commits into
Open
Fix ansible-lint risky-file-permissions with explicit modes#6930millerdev wants to merge 11 commits into
millerdev wants to merge 11 commits into
Conversation
Add explicit mode: to file/copy/template/get_url/lineinfile tasks where the mode equals the current umask default (0644 for files, 0755 for dirs) — i.e. provably zero permission change on any host. Drop the matching risky-file-permissions entries for the fully-resolved files from .ansible-lint-ignore. Files whose safe mode is non-default (package-managed configs, secrets, data dirs) will be handled separately.
Set mode 0640 on the datadog.yaml template, matching the datadog package default (0640 dd-agent:dd-agent). No permission change.
Set owner/group postgres and explicit modes on the pgbouncer config and auth templates so they no longer rely on package-set ownership. This brings the role-created pgbouncer-N.ini (previously root:root 0644) into line with the package-owned pgbouncer.ini / userlist.txt (postgres:postgres 0640); the pgbouncer daemon runs as postgres.
Set owner/group root and mode 0640 on the keepalived.conf template (matching the sibling notify_script task). The keepalived daemon runs as root; 0640 removes world-read of the VRRP auth_pass.
Create the cchq user's ~/.ssh explicitly as a 0700 directory (owner cchq) before keys are written — it was previously created implicitly by blockinfile with 0755 cchq:cchq. Set ~/.ssh/config to owner/group cchq, mode 0600.
- Set postgres WAL archive directory so it isn't world-accessible. Should be benign because parent /opt/data has a tighter mode 0700. - Make pg_hba.conf perms explicit, matching the Debian package default. - recovery.conf holds the replication primary_conninfo (including a password), so restrict it to owner-only read by the postgres process.
Set mode 0750 on the clickhouse data directory (/opt/data/clickhouse) so the data is not world-accessible. The clickhouse server runs with user clickhouse. The directory holds Sentry's event/error data — stack traces, request payloads, breadcrumbs, user context — which can easily contain API keys, tokens, PII, or other sensitive values that got logged or captured in an exception.
Error: The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'dest'
The error appears to be in 'src/commcare_cloud/ansible/roles/pg_repack/tasks/main.yml': line 66, column 5, but may be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: Run queries from SQL script
^ here
Erroneously removed in cccd79d
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ansible-lint's
risky-file-permissionsrule flags anyfile,copy, ortemplatetask that doesn't set an explicitmode, since the resulting permissions otherwise depend on the umask of the machine running Ansible. This PR works through the roles that were suppressing that rule in.ansible-lint-ignoreand gives each task an explicit mode, removing the corresponding ignore entries.Most changes simply pin the mode Ansible was already applying by default (e.g.
0644for config files,0755for directories), so there is no behavior change. A handful of tasks also tighten permissions and/or add explicitowner/groupwhere the existing default was looser than it should be for sensitive files – these were split into separate commits with explicit messaging on how the risks handled.https://dimagi.atlassian.net/browse/SAAS-19980
🐡 Review by commit.
Environments Affected
All.
deploy-stackhas been run on staging as part of testing for this PR.Announce New Release