From bcfd4cb01056067327ec793fe5af750aab0f7b31 Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Mon, 26 Aug 2019 02:05:53 +0200 Subject: [PATCH] Fixed missing mode setting for others To disallow access from others than user and group --- roles/bootstrap/tasks/privilege.yml | 2 +- roles/common/tasks/main.yml | 2 +- roles/git_auto_update/defaults/main.yml | 2 +- roles/nginx/php-pool/tasks/main.yml | 4 ++-- roles/server/gitea/tasks/main.yml | 10 +++++----- roles/server/nextcloud/tasks/install.yml | 4 ++-- roles/server/nextcloud/tasks/main.yml | 2 +- roles/server/spotme/tasks/main.yml | 2 +- roles/server/static/meta/main.yml | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/bootstrap/tasks/privilege.yml b/roles/bootstrap/tasks/privilege.yml index df3509e..fdd06f3 100644 --- a/roles/bootstrap/tasks/privilege.yml +++ b/roles/bootstrap/tasks/privilege.yml @@ -39,5 +39,5 @@ dest: "{{ bootstrap_expected_user_data.home }}/.ssh/authorized_keys" owner: "{{ bootstrap_expected_user }}" group: "{{ bootstrap_expected_user }}" - mode: u=rw,g=r + mode: u=rw,g=r,o= become: yes diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f8c7f5c..fce0f2f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -38,7 +38,7 @@ state: directory owner: root group: root - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Create backups directories file: diff --git a/roles/git_auto_update/defaults/main.yml b/roles/git_auto_update/defaults/main.yml index d57a204..20a4b9c 100644 --- a/roles/git_auto_update/defaults/main.yml +++ b/roles/git_auto_update/defaults/main.yml @@ -4,7 +4,7 @@ # dest: /example/repository owner: root group: "{{ owner }}" -mode: "u=rwx,g=rx" +mode: "u=rwx,g=rx,o=" repo_name: "{{ dest | basename }}" tag_prefix: "release-" gpg_fingerprint: 73D09948B2392D688A45DC8393E1BD26F6B02FB7 diff --git a/roles/nginx/php-pool/tasks/main.yml b/roles/nginx/php-pool/tasks/main.yml index 01d8ed2..12e6dbe 100644 --- a/roles/nginx/php-pool/tasks/main.yml +++ b/roles/nginx/php-pool/tasks/main.yml @@ -6,7 +6,7 @@ state: directory owner: "{{ system_user }}" group: "{{ nginx_system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Check if src is a directory file: @@ -14,7 +14,7 @@ state: directory owner: "{{ system_user }}" group: "{{ system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Configure pool in php-fpm template: diff --git a/roles/server/gitea/tasks/main.yml b/roles/server/gitea/tasks/main.yml index c26630f..24295df 100644 --- a/roles/server/gitea/tasks/main.yml +++ b/roles/server/gitea/tasks/main.yml @@ -22,7 +22,7 @@ state: directory owner: "{{ gitea_system_user }}" group: "{{ nginx_system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Configure installation directory file: @@ -30,7 +30,7 @@ state: directory owner: "{{ gitea_system_user }}" group: "{{ gitea_system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Configure custom directory file: @@ -38,7 +38,7 @@ state: directory owner: "{{ gitea_system_user }}" group: "{{ gitea_system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Configure repositories directory file: @@ -46,13 +46,13 @@ state: directory owner: "{{ gitea_system_user }}" group: "{{ gitea_system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Configure gitea template: src: "app.ini" dest: "{{ gitea_configuration_path }}" - mode: 0640 + mode: "u=rw,g=r,o=" owner: root group: "{{ gitea_system_user }}" notify: restart gitea diff --git a/roles/server/nextcloud/tasks/install.yml b/roles/server/nextcloud/tasks/install.yml index 76095e9..93f0c2c 100644 --- a/roles/server/nextcloud/tasks/install.yml +++ b/roles/server/nextcloud/tasks/install.yml @@ -6,7 +6,7 @@ url: "{{ nextcloud_release_remote }}" checksum: "sha256:{{ nextcloud_release_remote_checksum }}" dest: "{{ nextcloud_release_file }}" - mode: "u=rw,g=r" + mode: "u=rw,g=r,o=" validate_certs: yes - name: Download signature for Nextcloud release @@ -14,7 +14,7 @@ get_url: url: "{{ nextcloud_release_remote_signature }}" dest: "{{ nextcloud_release_signature }}" - mode: "u=rw,g=r" + mode: "u=rw,g=r,o=" force: yes validate_certs: yes diff --git a/roles/server/nextcloud/tasks/main.yml b/roles/server/nextcloud/tasks/main.yml index aa4baa1..d286aae 100644 --- a/roles/server/nextcloud/tasks/main.yml +++ b/roles/server/nextcloud/tasks/main.yml @@ -49,7 +49,7 @@ path: "{{ nextcloud_data_directory }}" owner: "{{ system_user }}" group: "{{ system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" - name: Install Nextcloud become_user: "{{ system_user }}" diff --git a/roles/server/spotme/tasks/main.yml b/roles/server/spotme/tasks/main.yml index d721ec7..1fc1f8d 100644 --- a/roles/server/spotme/tasks/main.yml +++ b/roles/server/spotme/tasks/main.yml @@ -36,7 +36,7 @@ state: directory owner: "{{ spotme_system_user }}" group: "{{ spotme_system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o=" # TODO Role for Git Username / Password Configuration diff --git a/roles/server/static/meta/main.yml b/roles/server/static/meta/main.yml index 9e8dd4b..78abf9a 100644 --- a/roles/server/static/meta/main.yml +++ b/roles/server/static/meta/main.yml @@ -7,4 +7,4 @@ dependencies: dest: "{{ root_directory }}" owner: root group: "{{ nginx_system_user }}" - mode: "u=rwx,g=rx" + mode: "u=rwx,g=rx,o="