search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
4.07k stars 733 forks source link

os_hardening: /tmp privs erroneously apply as 03361 #803

Open shaunsmiley-xevo opened 1 month ago

shaunsmiley-xevo commented 1 month ago

Description

It appears that 1777 is interpreted as decimal, and gets converted to 03361 octal. The workaround is to override these default vars to '01777'.

Reproduction steps

Run the role with defaults.

Current Behavior

TASK [devsec.hardening.os_hardening : Harden permissions for directory of mount /tmp] ***********************************************************************
--- before
+++ after
@@ -1,2 +1,2 @@
-mode: '01777'
+mode: '03361'
 path: /tmp

Expected Behavior

It should keep the 1777 default setting.

OS / Environment

Provide all relevant information below, e.g. target OS versions, network device firmware, etc.

Ansible Version

ansible [core 2.15.9]
...
  python version = 3.11.8 (main, Feb  6 2024, 21:21:21) [GCC 12.3.0]
  jinja version = 3.1.3
  libyaml = True

### Collection Version

```Shell
9.0.1

Additional information

No response

rndmh3ro commented 1 month ago

I am unable to reproduce this.

[~/.../os_hardening]: (master *%)
> cat test.yaml
- hosts: localhost
  tasks:
    - file:
        path: /tmp
        mode: "1777"
        state: directory

:[~/.../os_hardening]: (master *%)
> ansible-playbook test.yaml --diff

PLAY [localhost] ***********************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [file] ****************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

PLAY RECAP *****************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

basti:[~/.../os_hardening]: (master *%)
> ls -lsah /
   0 drwxrwxrwt  18 root  root   780  9. Okt 08:52 tmp