risky-file-permissions¶
This rule is triggered by various modules that could end up creating new files on disk with permissions that might be too open, or unpredictable. Please read the documentation of each module carefully to understand the implications of using different argument values, as these make the difference between using the module safely or not. The fix depends on each module and also your particular situation.
Some modules have a create
argument that defaults to true
. For those you
either need to set create: false
or provide some permissions like mode: 0600
to make the behavior predictable and not dependent on the current system
settings.
Modules that are checked:
ansible.builtin.assemble
ansible.builtin.copy
ansible.builtin.file
ansible.builtin.get_url
ansible.builtin.replace
ansible.builtin.template
community.general.archive
community.general.ini_file
Warning
This rule does not take module_defaults configuration into account. There are currently no plans to implement this feature because changing task location can also change task behavior.
Problematic code¶
Correct code¶
---
- name: Safe example of using ini_file (1st solution)
community.general.ini_file:
path: foo
create: false # prevents creating a file with potentially insecure permissions
- name: Safe example of using ini_file (2nd solution)
community.general.ini_file:
path: foo
mode: "0600" # explicitly sets the desired permissions, to make the results predictable
- name: Safe example of using copy (3rd solution)
ansible.builtin.copy:
src: foo
dest: bar
mode: preserve # copy has a special mode that sets the same permissions as the source file