On 17.07.2017 23:13, Major Hayden wrote: > On 07/04/2017 03:54 AM, Markus Zoeller wrote: >> How do you deal with hosts which have a restrictive umask of 077 >> *before* openstack-ansible starts the setup? Do you start with the >> default umask of 022 and opt-in later to that security hardening[1]? > > We don't test for that in the OpenStack-Ansible gates since those settings > from openstack-ansible-security/ansible-hardening are disabled by default. > It's possible to start with 022 and switch to 077 later, but that could cause > additional problems. > >> What's the development policy of openstack-ansible regarding setting >> file or directory permissions in tasks? >> >> * is a umask value of 022 assumed for tasks to work? > > Yes. > >> * should tasks always explicitly set the file/dir mode? > > They certainly should, and if they don't, we should adjust those tasks. I'd > rather be as explicit as possible to reduce the chances of problems down the > road if distribution defaults change. >
A short grep in 'openstack-ansible' shows that the file permissions are often not set. I used these commands: $ grep -n -R "template:" --include \*.yml -A 5 $ grep -n -R "copy:" --include \*.yml -A 5 IIUC, we're using 'ansible-lint' for style checks. Does it make sense to add a new rule which warns/enforces to set the mode (or group/user)? -- Regards, Markus Zoeller (markus_z) > -- > Major Hayden > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev