fix E208 'File permissions not mentioned'

63887d3b · Frederik Schwan · Sven-Hendrik Haase · 04b2e3b1 · 63887d3b · 63887d3b
Commit 63887d3b authored Aug 18, 2020 by Frederik Schwan Committed by Sven-Hendrik Haase Aug 27, 2020
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -8,7 +8,7 @@
    creates: /var/lib/mysql/mysql

 - name: configure mariadb
-  template: src=server.cnf.j2 dest=/etc/my.cnf.d/server.cnf
+  template: src=server.cnf.j2 dest=/etc/my.cnf.d/server.cnf owner=root group=root mode=0644
  notify:
    - restart mariadb

@@ -36,7 +36,7 @@
  no_log: true

 - name: create client configuration for root
-  template: src=client.cnf.j2 dest=/root/.my.cnf
+  template: src=client.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0644
  no_log: true

 - name: configure zabbix-agent user

--- a/roles/patchwork/tasks/main.yml
+++ b/roles/patchwork/tasks/main.yml
@@ -118,7 +118,7 @@
 - name: deploy new release
  become: true
  become_user: patchwork
-  file: path=/etc/uwsgi/vassals/patchwork.ini state=touch
+  file: path=/etc/uwsgi/vassals/patchwork.ini state=touch owner=root group=root mode=0644
  when: (release.changed or config.changed or virtualenv.changed or patchwork_forced_deploy)

 - name: start and enable patchwork memcached service and notification timer

--- a/roles/phrik/tasks/main.yml
+++ b/roles/phrik/tasks/main.yml
@@ -22,13 +22,13 @@
  tags: ['archusers']

 - name: install phrik sudoers config
-  copy: src=sudoers dest=/etc/sudoers.d/phrik
+  copy: src=sudoers dest=/etc/sudoers.d/phrik owner=root group=root mode=0440

 - name: install polkit rule for restarting phrik
-  copy: src=20-manage-phrik.rules dest=/etc/polkit-1/rules.d/20-manage-phrik.rules
+  copy: src=20-manage-phrik.rules dest=/etc/polkit-1/rules.d/20-manage-phrik.rules owner=root group=root mode=0644

 - name: install phrik systemd service
-  copy: src=phrik.service dest=/etc/systemd/system/phrik.service
+  copy: src=phrik.service dest=/etc/systemd/system/phrik.service owner=root group=root mode=0644

 - name: start and enable pkgfile and phrikservice
  systemd:

--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -16,6 +16,7 @@
    group: postgres
    attributes: "+C"
    path: /var/lib/postgres/data
+    mode: 0700
  when: filesystem == "btrfs"

 - name: initialize postgres

--- a/roles/rsync_net/tasks/main.yml
+++ b/roles/rsync_net/tasks/main.yml
@@ -21,7 +21,7 @@
  delegate_to: localhost

 - name: fill tempfile
-  copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}"
+  copy: content="{{ lookup('template', 'authorized_keys.j2') }}" dest="{{ tempfile.path }}" owner=root group=root mode=0644
  delegate_to: localhost

 - name: upload authorized_keys file

--- a/roles/security_tracker/tasks/main.yml
+++ b/roles/security_tracker/tasks/main.yml
@@ -34,7 +34,7 @@
  user: name=security shell=/bin/false home="{{ security_tracker_dir }}" createhome=no

 - name: fix home permissions
-  file: state=directory owner=security group=security path="{{ security_tracker_dir }}"
+  file: state=directory mode=0750 owner=security group=security path="{{ security_tracker_dir }}"

 - name: copy security-tracker units
  copy: src="{{ item }}" dest="/etc/systemd/system/{{ item }}" owner=root group=root mode=0644
@@ -89,7 +89,7 @@
 - name: deploy new release
  become: true
  become_user: security
-  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch
+  file: path=/etc/uwsgi/vassals/security-tracker.ini state=touch owner=root group=root mode=0644
  when: release.changed

 - name: start and enable security-tracker timer

--- a/roles/spampd/tasks/main.yml
+++ b/roles/spampd/tasks/main.yml
@@ -26,7 +26,7 @@
    - systemd daemon reload

 - name: create pacman.d hooks dir
-  file: state=directory owner=root group=root path="/etc/pacman.d/hooks"
+  file: state=directory path="/etc/pacman.d/hooks" owner=root group=root mode=0755

 - name: install pacman sa-update hook
  copy: src=sa-update.hook dest=/etc/pacman.d/hooks/sa-update.hook owner=root group=root mode=0644

--- a/roles/sudo/tasks/main.yml
+++ b/roles/sudo/tasks/main.yml
@@ -22,6 +22,9 @@
    insertafter: '^# %wheel ALL=\(ALL\) ALL'
    line: '%wheel ALL=(ALL) ALL'
    validate: 'visudo -cf %s'
+    mode: 0440
+    user: root
+    group: root

 - name: secure path to protect against attacks
  lineinfile:
@@ -31,3 +34,6 @@
    insertafter: '^# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"'
    line: 'Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"'
    validate: 'visudo -cf %s'
+    mode: 0440
+    user: root
+    group: root
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -35,6 +35,9 @@
    insertafter: '^#CacheDir'
    regexp: '^CacheDir'
    line: 'CacheDir     = /var/cache/pacman/pkg/ /srv/ftp/pool/packages/ /srv/ftp/pool/community/'
+    mode: 0644
+    user: root
+    group: root

 - name: make nginx log dir
  file: path=/var/log/nginx/{{ mirror_domain }} state=directory owner=root group=root mode=0755

--- a/roles/wkd/tasks/main.yml
+++ b/roles/wkd/tasks/main.yml
@@ -13,7 +13,7 @@
    - run wkd service

 - name: create pacman.d hooks dir
-  file: state=directory owner=root group=root path=/etc/pacman.d/hooks
+  file: state=directory path=/etc/pacman.d/hooks mode=0755 owner=root group=root

 - name: install pgp_import hook
  template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644

--- a/roles/zabbix_agent/tasks/main.yml
+++ b/roles/zabbix_agent/tasks/main.yml
@@ -106,7 +106,7 @@
  when: "'nginx' in group_names"

 - name: install sudo config
-  template: src=zabbix-agent-sudoers.conf.j2 dest=/etc/sudoers.d/zabbix-agent-sudoers
+  template: src=zabbix-agent-sudoers.conf.j2 dest=/etc/sudoers.d/zabbix-agent-sudoers mode=0440 owner=root group=root

 - name: copy nginx-zabbix.service
  copy: src=nginx-zabbix.service dest=/etc/systemd/system/nginx-zabbix.service owner=root group=root mode=0644