In Unix file system permissions, the "others
" category refers to all users except the owner of the file system resource and the
members of the group assigned to this resource.
Granting permissions to this category can lead to unintended access to files or directories that could allow attackers to obtain sensitive
information, disrupt services or elevate privileges.
Ask Yourself Whether
- The Ansible host is designed to have multiple users.
- Services are run by dedicated low-privileged users to achieve privileges separation.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
The most restrictive possible permissions should be assigned to files and directories.
To be secure, remove the unnecessary permissions. If required, use owner
and group
to set the target user and group.
Sensitive Code Example
---
- name: My deployment
hosts: all
tasks:
- name: Create /etc/demo with permissions
ansible.builtin.file:
path: /etc/demo
state: directory
mode: '0777' # Sensitive
- name: Copy demo3.conf and set symbolic permissions
ansible.builtin.copy:
src: /files/demo.conf
dest: /etc/demo/demo.conf
mode: 'a=r,u+w' # Sensitive
Compliant Solution
---
- name: My deployment
hosts: all
tasks:
- name: Create /etc/demo with permissions
ansible.builtin.file:
path: /etc/demo
state: directory
mode: '0770'
- name: Copy demo3.conf and set symbolic permissions
ansible.builtin.copy:
src: /files/demo.conf
dest: /etc/demo/demo.conf
mode: 'g=r,u+w,o='
See