On 17 February 2015 at 16:16, Josh Smift <[email protected]> wrote: > One thing about SSH keys is that they're generally unique to one person > (or one account anyway). I feel like there's a not-uncommon use case for > wanting your sysadmins (in a Unix group 'sysadmin', say) to be able to > access Ansible vault files as themselves (i.e. without sudo), which would > be easy if files were group 'sysadmin' and group-writable. > > I think it'd be fine for Ansible to warn about and/or refuse to run in > this way, by default, but I think it should be an option to allow it. > > I would agree that such a use case is certainly foreseeable.
In my mind, vault is responsible for encrypting data within my file, but isn't responsible for determining a sensible mode or owner for said file. Also, if I commit a file with mode 0600 into version control, and someone else checks out the same file, there is no telling what mode it will end up as in their working tree. So enforcing a mode seems kind of pointless for many workflows. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAAnNz0MYy7s4MHqkUTSy-COeeSyTmGK_JPNRVjnfNTrLA-mXUA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
