search

CoffeeITWorks / ansible_burp2_server

Ansible role to deploy burp2 server
MIT License
10 stars 9 forks source link

Wrong permissions & no idempotency #68

Closed marcin-github closed 4 years ago

marcin-github commented 4 years ago

Hi Pablo! I set burp_sv_server_user: 'burp'. Please look at it, this is after first run:

# ls -lR /etc/burp/
/etc/burp/:
total 36
drwxr-xr-x 4 burp burp 4096 Jun  3 13:35 CA
drwxr-xr-x 2 burp burp 4096 Jun  3 13:35 CA-client
-rw-r--r-- 1 burp root  781 Jun  3 13:35 CA.cnf
drwxr-xr-x 2 burp burp 4096 Jun  3 13:35 autoupgrade
-rw-r--r-- 1 burp root 7363 Jun  3 13:35 burp-server.conf
-rw-r--r-- 1 burp burp  821 Jun  3 13:35 burp.conf
drwxr-xr-x 4 burp burp 4096 Jun  3 13:35 clientconfdir
-rw------- 1 burp burp  830 Jun  3 13:35 dhfile.pem
lrwxrwxrwx 1 burp burp   26 Jun  3 13:35 ssl_cert-server.key -> /etc/burp/CA/decbackup.key
lrwxrwxrwx 1 burp burp   26 Jun  3 13:35 ssl_cert-server.pem -> /etc/burp/CA/decbackup.crt
lrwxrwxrwx 1 burp burp   26 Jun  3 13:35 ssl_cert_ca-server.pem -> /etc/burp/CA/CA_burpCA.crt

/etc/burp/CA:
total 56
-rw-r--r-- 1 burp burp  544 Jun  3 13:35 CA_burpCA.crl
-rw-r--r-- 1 burp burp 1164 Jun  3 13:35 CA_burpCA.crt
-rw------- 1 burp burp 1679 Jun  3 13:35 CA_burpCA.key
drwxr-xr-x 2 burp burp 4096 Jun  3 13:35 certs
-rw-r--r-- 1 burp burp    3 Jun  3 13:35 crlnumber.txt
-rw-r--r-- 1 burp burp    3 Jun  3 13:35 crlnumber.txt.old
-rw-r--r-- 1 burp burp 3688 Jun  3 13:35 decbackup.crt
-rw-r--r-- 1 burp burp  928 Jun  3 13:35 decbackup.csr
-rw------- 1 burp burp 1679 Jun  3 13:35 decbackup.key
-rw-r--r-- 1 burp burp   42 Jun  3 13:35 index.txt
-rw-r--r-- 1 burp burp   20 Jun  3 13:35 index.txt.attr
-rw-r--r-- 1 burp burp    0 Jun  3 13:35 index.txt.old
drwxr-xr-x 2 burp burp 4096 Jun  3 13:35 newcerts
-rw-r--r-- 1 burp burp    3 Jun  3 13:35 serial.txt
-rw-r--r-- 1 burp burp    3 Jun  3 13:35 serial.txt.old

/etc/burp/CA/certs:
total 4
-rw-r--r-- 1 burp burp 3688 Jun  3 13:35 00.pem
lrwxrwxrwx 1 burp burp   25 Jun  3 13:35 ef8ba571.0 -> /etc/burp/CA/certs/00.pem

/etc/burp/CA/newcerts:
total 0

/etc/burp/CA-client:
total 0
/etc/burp/autoupgrade:
total 0

/etc/burp/clientconfdir:
total 12
drwxrwxrwx 2 1000 1000 4096 Jun  3 12:00 incexc
-rw-r--r-- 1 burp burp   19 Jun  3 13:35 monitor
drwxr-xr-x 2 burp burp 4096 Jun  3 13:35 profiles

/etc/burp/clientconfdir/incexc:
total 88
-rw-rw-r-- 1 1000 1000 1544 Jun  2 03:46 README.md
-rw-rw-r-- 1 1000 1000  209 Jun  2 03:46 audio_compressed_exclusions
-rw-rw-r-- 1 1000 1000  338 Jun  2 03:46 audio_exclusions
-rw-rw-r-- 1 1000 1000  438 Jun  2 03:46 compressed_exclusions
-rw-rw-r-- 1 1000 1000  543 Jun  2 03:46 generic_excluded_extensions
-rw-rw-r-- 1 1000 1000  560 Jun  2 03:46 generic_exclusions
-rw-rw-r-- 1 1000 1000  122 Jun  2 03:46 image_compressed_exclusions
-rw-rw-r-- 1 1000 1000 1027 Jun  2 03:46 lnxsrv_global_exclusions
-rw-rw-r-- 1 1000 1000   10 Jun  2 03:46 lnxsrv_global_inclusions
-rw-r--r-- 1 burp root  681 Jun  3 13:35 profile_lnxsrv
-rw-r--r-- 1 burp root  683 Jun  3 13:35 profile_lnxsrv_medium
-rw-r--r-- 1 burp root 1070 Jun  3 13:35 profile_win6x
-rw-r--r-- 1 burp root 1235 Jun  3 13:35 profile_win6x_drp
-rw-r--r-- 1 burp root  521 Jun  3 13:35 profile_win6x_drp2
-rw-rw-r-- 1 1000 1000  221 Jun  2 03:46 std_settings
-rw-rw-r-- 1 1000 1000  459 Jun  2 03:46 video_compressed_exclusions
-rw-rw-r-- 1 1000 1000  542 Jun  2 03:46 video_exclusions
-rw-rw-r-- 1 1000 1000 1322 Jun  2 03:46 vm_exclusions
-rw-rw-r-- 1 1000 1000 2044 Jun  2 03:46 win6x_global_exclusions
-rw-rw-r-- 1 1000 1000 1095 Jun  2 03:46 win6x_global_inclusions
-rw-rw-r-- 1 1000 1000 7689 Jun  2 03:46 windows_settings

/etc/burp/clientconfdir/profiles:
total 8
-rw-r--r-- 1 burp root 166 Jun  3 13:35 lnxsrv
-rw-r--r-- 1 burp root 165 Jun  3 13:35 win6x

As you can see there are files owned by burp, by uid 1000 (which is uid of user I run ansible). Owner should be root with read permissions for user set in burp_sv_server_user and other users should not have permissions to read (there are password and ssl keys inside /etc/burp directory). Now I run playbook again:

TASK [coffeeitworks.burp2_server : config_burp | create etc directories] *************************************************************************************************************************************
task path: /home/mmiroslaw/ansible/roles/coffeeitworks.burp2_server/tasks/4_config_burp.yml:10
ok: [decbackup.in.decerto.com] => (item=/etc/burp/autoupgrade) => {"ansible_loop_var": "item", "changed": false, "gid": 1003, "group": "burp", "item": "/etc/burp/autoupgrade", "mode": "0755", "owner": "burp
", "path": "/etc/burp/autoupgrade", "size": 4096, "state": "directory", "uid": 1003}
ok: [decbackup.in.decerto.com] => (item=/etc/burp/CA-client) => {"ansible_loop_var": "item", "changed": false, "gid": 1003, "group": "burp", "item": "/etc/burp/CA-client", "mode": "0755", "owner": "burp", "
path": "/etc/burp/CA-client", "size": 4096, "state": "directory", "uid": 1003}
--- before
+++ after
@@ -1,6 +1,6 @@
 {
-    "group": 1000,
-    "mode": "0777",
-    "owner": 1000,
+    "group": 1003,
+    "mode": "0755",
+    "owner": 1003,
     "path": "/etc/burp/clientconfdir/incexc"
 }

changed: [decbackup.in.decerto.com] => (item=/etc/burp/clientconfdir/incexc) => {"ansible_loop_var": "item", "changed": true, "gid": 1003, "group": "burp", "item": "/etc/burp/clientconfdir/incexc", "mode":
"0755", "owner": "burp", "path": "/etc/burp/clientconfdir/incexc", "size": 4096, "state": "directory", "uid": 1003}
changed: [decbackup.in.decerto.com] => (item=/etc/burp/clientconfdir/profiles) => {"ansible_loop_var": "item", "changed": true, "gid": 1003, "group": "burp", "item": "/etc/burp/clientconfdir/profiles", "mod
e": "0755", "owner": "burp", "path": "/etc/burp/clientconfdir/profiles", "size": 4096, "state": "directory", "uid": 1003}

We can see that some permissions of some files and dirs was modified (but should be set in first run. And next task:

TASK [coffeeitworks.burp2_server : config_burp | copy clients configuration files] ***************************************************************************************************************************
task path: /home/mmiroslaw/ansible/roles/coffeeitworks.burp2_server/tasks/4_config_burp.yml:71
.d...pog... incexc/
.f...pog... incexc/README.md
.f...pog... incexc/audio_compressed_exclusions
.f...pog... incexc/audio_exclusions
.f...pog... incexc/compressed_exclusions
.f...pog... incexc/generic_excluded_extensions
.f...pog... incexc/generic_exclusions
.f...pog... incexc/image_compressed_exclusions
.f...pog... incexc/lnxsrv_global_exclusions
.f...pog... incexc/lnxsrv_global_inclusions
.f...pog... incexc/std_settings
.f...pog... incexc/video_compressed_exclusions
.f...pog... incexc/video_exclusions
.f...pog... incexc/vm_exclusions
.f...pog... incexc/win6x_global_exclusions
.f...pog... incexc/win6x_global_inclusions
.f...pog... incexc/windows_settings
changed: [decbackup.in.decerto.com] => {"changed": true, "cmd": "/usr/bin/rsync --delay-updates -F --compress --archive --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
 --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/mmiroslaw/ansible/roles/coffeeitworks.burp2_server/files/incexc root@10.222.20.11:/etc/burp/clientconfdir", "msg": ".d...pog... incexc/\n.f...p
og... incexc/README.md\n.f...pog... incexc/audio_compressed_exclusions\n.f...pog... incexc/audio_exclusions\n.f...pog... incexc/compressed_exclusions\n.f...pog... incexc/generic_excluded_extensions\n.f...po
g... incexc/generic_exclusions\n.f...pog... incexc/image_compressed_exclusions\n.f...pog... incexc/lnxsrv_global_exclusions\n.f...pog... incexc/lnxsrv_global_inclusions\n.f...pog... incexc/std_settings\n.f.
..pog... incexc/video_compressed_exclusions\n.f...pog... incexc/video_exclusions\n.f...pog... incexc/vm_exclusions\n.f...pog... incexc/win6x_global_exclusions\n.f...pog... incexc/win6x_global_inclusions\n.f
...pog... incexc/windows_settings\n", "rc": 0, "stdout_lines": [".d...pog... incexc/", ".f...pog... incexc/README.md", ".f...pog... incexc/audio_compressed_exclusions", ".f...pog... incexc/audio_exclusions"
, ".f...pog... incexc/compressed_exclusions", ".f...pog... incexc/generic_excluded_extensions", ".f...pog... incexc/generic_exclusions", ".f...pog... incexc/image_compressed_exclusions", ".f...pog... incexc
/lnxsrv_global_exclusions", ".f...pog... incexc/lnxsrv_global_inclusions", ".f...pog... incexc/std_settings", ".f...pog... incexc/video_compressed_exclusions", ".f...pog... incexc/video_exclusions", ".f...p
og... incexc/vm_exclusions", ".f...pog... incexc/win6x_global_exclusions", ".f...pog... incexc/win6x_global_inclusions", ".f...pog... incexc/windows_settings"]}

^ this task copies files with wrong owner. Every run of playbook returns changed=2 tasks.

pablodav commented 4 years ago

Thanks for your report!

I have prepared a possible fix and also re-enabled idempotence test to ensure it stays fixed.

marcin-github commented 4 years ago

Thank you! I found one file, CA.cnf, that still has executable bit set.

pablodav commented 4 years ago

fixed in last release, thanks you for reporting!