The database init scripts are copied to /tmp on the target host with no permission mode set. This means that (depending on the umask) the sql files might have mode 644 and hence are readable for everyone. Since these files can contain the entire production database that probably includes sensitive data, it might be wise to restrict read access to root or the Ansible user.
Beside that, if the initial databases are big, they can consume a lot of space available in /tmp. So maybe it is a good idea to delete them after the initialization completed. E.g.:
I decided to open an issue instead of proposing a PR because there is another issue regarding the database initialization where you said you need to restructure it anyway.
The database init scripts are copied to
/tmp
on the target host with no permission mode set. This means that (depending on the umask) the sql files might have mode 644 and hence are readable for everyone. Since these files can contain the entire production database that probably includes sensitive data, it might be wise to restrict read access to root or the Ansible user.So I propose:
Beside that, if the initial databases are big, they can consume a lot of space available in /tmp. So maybe it is a good idea to delete them after the initialization completed. E.g.:
I decided to open an issue instead of proposing a PR because there is another issue regarding the database initialization where you said you need to restructure it anyway.