ansible-vault icon indicating copy to clipboard operation
ansible-vault copied to clipboard

Published 20 hours ago verified publisher icon ansible-community

Recursively set TLS permissions

Open ilpianista opened this issue 5 years ago • 6 comments

When vault_tls_config_path already exists and vault_tls_copy_keys is set to false, only the certificates root folder (vault_tls_config_path) get the correct permission while the certificates inside aren't touched.

ilpianista avatar Jul 01 '20 13:07 ilpianista

You're right! But let me rephrase please add a mode:, ansible-lint 4.3+ checks for that.

bbaassssiiee avatar Sep 29 '20 13:09 bbaassssiiee

Ok, it's a bit harder than that.

Since there's the recurse parameter, the mode that we specify are also applied to the files inside the folder, thus by making the files executable. As workaround I could use a symbolic mode (e.g. u=rwX,g=rX,o=rX), but that will overwrite the permissions which are already set on the files if vault_tls_copy_keys is set to false.

I'm not sure what's the best thing to do here.

ilpianista avatar Sep 29 '20 14:09 ilpianista

Group and others don't need access to TLS files.

bbaassssiiee avatar Oct 07 '20 14:10 bbaassssiiee

Group and others don't need access to TLS files.

Exactly. If I use mode: "u=rwX,g=rX,o=rX" combined with recurse: yes, then group and others get access to them.

ilpianista avatar Oct 07 '20 16:10 ilpianista

To recap:

  • if we only set recurse: yes, then ansible-lint complains
  • if we set recurse: yes && mode: 0755, then the TLS files get the executable bit
  • if we set recurse: yes && mode: u=rwX,g=rX,o=rX, then the TLS files are readable by group and others.

May I simply add a skip_ansible_lint tag to this task?

ilpianista avatar Oct 07 '20 16:10 ilpianista

Adding skip_ansible_lint is Ok if the mode: works.

bbaassssiiee avatar Dec 23 '20 15:12 bbaassssiiee

Too outdated

bbaassssiiee avatar Nov 15 '22 12:11 bbaassssiiee

FTR: superseded by #306

ilpianista avatar Dec 05 '22 09:12 ilpianista