OpenStack-Ansible

ansible-hardening: Filesystem modes with letters are not working

Bug #1731005 reported by Major Hayden
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Major Hayden

Bug Description

The letter-based modes from the ansible-hardening role are removing certain permissions that they should not remove. Example:

  mode: "u-X,g-ws,o-rwxt"

This removes the setuid bit from the directory along with the execute permissions. For the V-72017 requirement, this removes a user's execute bit for their own home directory, which is really awful.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (master)

Fix proposed to branch: master
Review: https://review.openstack.org/518593

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (master)

Reviewed: https://review.openstack.org/518593
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=79b3d25070f86804bd6cc4b04a82f2a9bb1f4982
Submitter: Zuul
Branch: master

commit 79b3d25070f86804bd6cc4b04a82f2a9bb1f4982
Author: Major Hayden <email address hidden>
Date: Thu Nov 9 08:47:14 2017 -0600

    Fix filesystem permission masks

    The setuid bit is ignored on directories, so it's not necessary
    to remove it. The tasks currently remove the user's ability to
    use their home directory.

    The patch fixes the permissions problem, ensures that the 'nobody'
    user is skipped, and enables testing for the tasks in the gate.

    Closes-Bug: 1731005
    Closes-Bug: 1730994
    Change-Id: Id7be77b2eaa707c4c27d46f97d07f34825813749

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-hardening (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/518760

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-hardening (stable/pike)

Reviewed: https://review.openstack.org/518760
Committed: https://git.openstack.org/cgit/openstack/ansible-hardening/commit/?id=5543b54ffb97072152fd6fe7c321bf2a4fb39e16
Submitter: Zuul
Branch: stable/pike

commit 5543b54ffb97072152fd6fe7c321bf2a4fb39e16
Author: Major Hayden <email address hidden>
Date: Thu Nov 9 08:47:14 2017 -0600

    Fix filesystem permission masks

    The setuid bit is ignored on directories, so it's not necessary
    to remove it. The tasks currently remove the user's ability to
    use their home directory.

    The patch fixes the permissions problem, ensures that the 'nobody'
    user is skipped, and enables testing for the tasks in the gate.

    Closes-Bug: 1731005
    Closes-Bug: 1730994
    Change-Id: Id7be77b2eaa707c4c27d46f97d07f34825813749
    (cherry picked from commit 79b3d25070f86804bd6cc4b04a82f2a9bb1f4982)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 16.0.5

This issue was fixed in the openstack/ansible-hardening 16.0.5 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/ansible-hardening 17.0.0.0b2

This issue was fixed in the openstack/ansible-hardening 17.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.