search

ansible-collections / ansible.posix

Ansible Collection for Posix
Other
155 stars 150 forks source link

sysctl custom file permissions #108

Open mhalano opened 3 years ago

mhalano commented 3 years ago
SUMMARY

I save my custom configurations under /etc/sysctl.d/10-performance.conf (performance configs). The problem is when this file is created it has a very restrictive permission, 0600 to be exactly. Should be 0644 as the other files.

ISSUE TYPE
COMPONENT NAME

sysctl

ANSIBLE VERSION
ansible 2.10.0
  config file = /home/mhalano/projs/infra-marcos-new/ansible.cfg
  configured module search path = ['/home/mhalano/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.6 (default, Sep 25 2020, 09:36:53) [GCC 10.2.0]
CONFIGURATION
INTERPRETER_PYTHON(/home/mhalano/projs/infra-marcos-new/ansible.cfg) = auto
OS / ENVIRONMENT

Ubuntu 20.10 but using the ansible-base package from Eoan on the official repository.

STEPS TO REPRODUCE

.1 Execute this minimum tasks:

- name: Reduce Swappiness
  sysctl:
    name: vm.swappiness
    value: "10"
    reload: yes
    state: present
    sysctl_file: /etc/sysctl.d/10-performance.conf
EXPECTED RESULTS

The file /etc/sysctl.d/10-performance.conf should have as permission 0644.

ACTUAL RESULTS

The file /etc/sysctl.d/10-performance.conf has permission 0600 even if it is not a critical file (security key or whereveer)

mhalano@glados:~/projs/infra-marcos-new$ ls -lh /etc/sysctl.d/10-performance.conf 
-rw------- 1 root root 42 out 30 16:34 /etc/sysctl.d/10-performance.conf
aminvakil commented 3 years ago

Does this strict permission does any harm?

I think the default '0600' permission is fine as long as system does not care about the permission and can read it, there is no use for all users on the system to have access to the file and read kernel parameters.

https://en.wikipedia.org/wiki/Principle_of_least_privilege :)

mhalano commented 3 years ago

@aminvakil It doesn't cause any harm, works fine, but causes a discrepancy because every file inside /etc/sysctl.d/ put by multiple packages (like procps, which include a lot of files) use 0644 mode, and also /etc/sysctl.conf itself is 0644. So why just one file with a couple of parameters should be more protected than others? Did you get it?