mamedin
commented
4 years ago Related to RH issue CVE-2020-1736. See:
https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.9.html#change-to-default-file-permissions https://github.com/ansible/ansible/issues/67794#issuecomment-672921617 https://github.com/CVEProject/cvelist/pull/3261
Warning message when deploying with ansible 2.9.12:
messages:Aug 28 10:36:52 mamedin-centos-1 ansible-copy: Invoked with directory_mode=None force=True remote_src=None _original_basename=clientConfig.logging.json.j2 owner=None follow=False local_follow=None group=None unsafe_writes=None serole=None content=NOT_LOGGING_PARAMETER setype=None dest=/etc/archivematica/clientConfig.logging.json selevel=None regexp=None validate=None src=/home/artefactual/.ansible/tmp/ansible-tmp-1598611006.59-3801424-99872750457753/source checksum=6bf51dd63e215c12c04216e770e415238eeb7f6a seuser=None delimiter=None mode=None attributes=None backup=True
messages:Aug 28 10:36:52 mamedin-centos-1 ansible-copy: [WARNING] File '/etc/archivematica/clientConfig.logging.json' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning.The template tasks in ansible-archivematica-src role should use the mode option, and it is desirable that the config files owner's is changed to root:archivematica or archivematica:archivematica and permissions 640 or 440.
Expected behaviour
Ansible role deploys should work with all ansible stable versions
Current behaviour
Ansible role creates archivematica config files with 0600 permissions instead of 0644. Using 0600 permissions the archivematica services cannot start.
(Using ansible 2.9.10 works)
Steps to reproduce
Deploy archivematica on CEntOS with ansible version >=2.9.12
Your environment (version of Archivematica, operating system, other relevant details)
Ansible 2.9.12, CEntOS 7 and archivematica 1.11.2
For Artefactual use:
Before you close this issue, you must check off the following: