On Mon, 16 Feb 2015 20:32 -0200, Giovanni Tirloni <[email protected]> wrote: > On Mon, 16 Feb 2015 12:46 -0800, [email protected] wrote: > > Hi. I recently submitted https://github.com/ansible/ansible/issues/10253, > > but it was closed. I commented before I read the part about comments on > > closed issues not being monitored, so I'm going to duplicate my thoughts > > here to discuss. > > IMHO, it's reasonable that Ansible wants to enforce sane file > permissions for the vault file. I think we can argue if Ansible should > refuse to run if the permissions aren't sane (like SSH) or if it should > always enforce them regardless. I'd vote for both ;-)
Thinking a bit more about this with the aim of finding a compromise, I wondered if perhaps we could have a setting telling ansible-vault what would be the expected file's mode in our environment (vault_file_permission) and if we should warn when that is different from the actual file's permission (vault_file_permission_warning). Although I'd prefer to have the vault file to adhere to umask 077 because I'm running from a central location and not sharing anything with other users (there are other security mechanisms to limit who can run access the account used for ansible), the warning option might be a good compromise. (Un)fortunately I don't have a good criminal mind so I can't think of many ways this would be a security issue. Perhaps others can weight in here. Giovanni -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1424201181.2516197.228880269.334C0180%40webmail.messagingengine.com. For more options, visit https://groups.google.com/d/optout.
