risky-file-permissions

This rule is triggered by various modules that could end up creating new files on disk with permissions that might be too open, or unpredictable. Please read the documentation of each module carefully to understand the implications of using different argument values, as these make the difference between using the module safely or not. The fix depends on each module and also your particular situation.

Some modules have a create argument that defaults to true. For those you either need to set create: false or provide some permissions like mode: 0600 to make the behavior predictable and not dependent on the current system settings.

Modules that are checked:

• ansible.builtin.assemble
• ansible.builtin.copy
• ansible.builtin.file
• ansible.builtin.get_url
• ansible.builtin.replace
• ansible.builtin.template
• community.general.archive
• community.general.ini_file

Warning

This rule does not take module_defaults configuration into account. There are currently no plans to implement this feature because changing task location can also change task behavior.

Problematic code

---
- name: Unsafe example of using ini_file
  community.general.ini_file:
    path: foo
    create: true

Correct code

---
- name: Safe example of using ini_file (1st solution)
  community.general.ini_file:
    path: foo
    create: false  # prevents creating a file with potentially insecure permissions

- name: Safe example of using ini_file (2nd solution)
  community.general.ini_file:
    path: foo
    mode: "0600"  # explicitly sets the desired permissions, to make the results predictable

- name: Safe example of using copy (3rd solution)
  ansible.builtin.copy:
    src: foo
    dest: bar
    mode: preserve   # copy has a special mode that sets the same permissions as the source file