Skip to content

Fix ansible-lint risky-file-permissions with explicit modes#6930

Open
millerdev wants to merge 11 commits into
masterfrom
dm/fix-risky-file-permissions
Open

Fix ansible-lint risky-file-permissions with explicit modes#6930
millerdev wants to merge 11 commits into
masterfrom
dm/fix-risky-file-permissions

Conversation

@millerdev

Copy link
Copy Markdown
Contributor

Ansible-lint's risky-file-permissions rule flags any file, copy, or template task that doesn't set an explicit mode, since the resulting permissions otherwise depend on the umask of the machine running Ansible. This PR works through the roles that were suppressing that rule in .ansible-lint-ignore and gives each task an explicit mode, removing the corresponding ignore entries.

Most changes simply pin the mode Ansible was already applying by default (e.g. 0644 for config files, 0755 for directories), so there is no behavior change. A handful of tasks also tighten permissions and/or add explicit owner/group where the existing default was looser than it should be for sensitive files – these were split into separate commits with explicit messaging on how the risks handled.

https://dimagi.atlassian.net/browse/SAAS-19980

🐡 Review by commit.

Environments Affected

All.

  • If the changes affect multiple environments, I will ensure they are rolled out consistently across all environments.

deploy-stack has been run on staging as part of testing for this PR.

Announce New Release
  • (Dimagi only) After merging, I will follow these instructions to announce a new commcare-cloud release.

millerdev added 11 commits July 1, 2026 12:21
Add explicit mode: to file/copy/template/get_url/lineinfile tasks where
the mode equals the current umask default (0644 for files, 0755 for
dirs) — i.e. provably zero permission change on any host. Drop the
matching risky-file-permissions entries for the fully-resolved files
from .ansible-lint-ignore.

Files whose safe mode is non-default (package-managed configs, secrets,
data dirs) will be handled separately.
Set mode 0640 on the datadog.yaml template, matching the datadog package
default (0640 dd-agent:dd-agent). No permission change.
Set owner/group postgres and explicit modes on the pgbouncer config and
auth templates so they no longer rely on package-set ownership. This
brings the role-created pgbouncer-N.ini (previously root:root 0644) into
line with the package-owned pgbouncer.ini / userlist.txt
(postgres:postgres 0640); the pgbouncer daemon runs as postgres.
Set owner/group root and mode 0640 on the keepalived.conf template
(matching the sibling notify_script task). The keepalived daemon runs
as root; 0640 removes world-read of the VRRP auth_pass.
Create the cchq user's ~/.ssh explicitly as a 0700 directory (owner cchq)
before keys are written — it was previously created implicitly by
blockinfile with 0755 cchq:cchq.

Set ~/.ssh/config to owner/group cchq, mode 0600.
- Set postgres WAL archive directory so it isn't world-accessible.
  Should be benign because parent /opt/data has a tighter mode 0700.
- Make pg_hba.conf perms explicit, matching the Debian package default.
- recovery.conf holds the replication primary_conninfo (including a
  password), so restrict it to owner-only read by the postgres process.
Set mode 0750 on the clickhouse data directory (/opt/data/clickhouse)
so the data is not world-accessible. The clickhouse server runs with
user clickhouse.

The directory holds Sentry's event/error data — stack traces, request
payloads, breadcrumbs, user context — which can easily contain API keys,
tokens, PII, or other sensitive values that got logged or captured in an
exception.
Error: The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'dest'

The error appears to be in 'src/commcare_cloud/ansible/roles/pg_repack/tasks/main.yml': line 66, column 5, but may be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  - name: Run queries from SQL script
    ^ here
Erroneously removed in cccd79d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant