Skip to content

[Q&A] Risky file permission enable in linter and explicitely disabled in codebase #885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
insatomcat merged 1 commit into from
Mar 3, 2026
Merged

[Q&A] Risky file permission enable in linter and explicitely disabled in codebase #885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion ansible-lint.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ exclude_paths:
skip_list:
- yaml # yaml syntax warnings
- role-name # All role names should match "^[a-z_][a-z0-9_]*$"
- risky-file-permissions # All file creation must specify permissions
- fqcn-builtins # Can't use buildins module without precising the full name with the "ansible.builtin." prefix

warn_list:
Expand Down
6 changes: 3 additions & 3 deletions playbooks/ci_prepare_publisher.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,16 @@
hosts:
- publisher_machine
tasks:
- name: Copy ptp4l.service
- name: Copy ptp4l.service # noqa: risky-file-permissions
ansible.builtin.template:
src: "{{ (playbook_dir | dirname) }}/templates/ptp4l.service.j2"
dest: /etc/systemd/system/ptp4l.service
notify: Enable ptp4l.service
- name: Copy ptp4l.conf
- name: Copy ptp4l.conf # noqa: risky-file-permissions
ansible.builtin.template:
src: "{{ (playbook_dir | dirname) }}/templates/ptp4l.conf.j2"
dest: /etc/linuxptp/ptp4l.conf
- name: Send phc2sys.service
- name: Send phc2sys.service # noqa: risky-file-permissions
ansible.builtin.template:
src: "{{ (playbook_dir | dirname) }}/templates/phc2sys.service.j2"
dest: /etc/systemd/system/phc2sys.service
Expand Down
2 changes: 1 addition & 1 deletion playbooks/seapath_setup_prerequisdebian.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@
- VMs
become: true
tasks:
- name: Create /etc/apt/sources.list.d/
- name: Create /etc/apt/sources.list.d/ # noqa: risky-file-permissions
file:
state: directory
path: /etc/apt/sources.list.d/
Expand Down
2 changes: 1 addition & 1 deletion playbooks/seapath_update_yocto_cluster.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
"Migrating" not in check_migration.stdout
changed_when: false
retries: 10
- name: Copy SWU file on machine
- name: Copy SWU file on machine # noqa: risky-file-permissions
copy:
src: "../{{ swu_image }}"
dest: "/tmp/update.swu"
Expand Down
2 changes: 1 addition & 1 deletion playbooks/seapath_update_yocto_standalone.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
- name: Update machine
hosts: "{{ machine_to_update }}"
tasks:
- name: Copy SWU file on machine
- name: Copy SWU file on machine # noqa: risky-file-permissions
copy:
src: "../{{ swu_image }}"
dest: "/tmp/update.swu"
Expand Down
2 changes: 1 addition & 1 deletion roles/centos_physical_machine/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@
set_fact:
centos_physical_machine_lvm_rebooter_log_path: "{{ centos_physical_machine_varlog_path.stdout }}"

- name: Copy rebooter.conf
- name: Copy rebooter.conf # noqa: risky-file-permissions
template:
src: initramfs-tools/conf.d/rebooter.conf.j2
dest: /etc/dracut.conf.d/rebooter.conf
Expand Down
4 changes: 2 additions & 2 deletions roles/cephadm/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
shell: /sbin/nologin
when: seapath_distro == "Debian"

- name: Set cephadm user sudo permissions
- name: Set cephadm user sudo permissions # noqa: risky-file-permissions
copy:
src: cephadm_sudoers
dest: /etc/sudoers.d/cephadm
Expand Down Expand Up @@ -170,7 +170,7 @@
changed_when: true

# === Bootstrap if currently no ceph nodes ===
- name: Upload file ceph.conf needed for bootstrapping
- name: Upload file ceph.conf needed for bootstrapping # noqa: risky-file-permissions
template:
src: ceph.conf.j2
dest: /tmp/ceph.conf
Expand Down
6 changes: 3 additions & 3 deletions roles/ci_centos/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
file:
path: /usr/share/testdata/cukinia.conf
state: absent
- name: Copy Cukinia test configuration
- name: Copy Cukinia test configuration # noqa: risky-file-permissions
copy:
src: files/cukinia.conf
dest: /usr/share/testdata/cukinia.conf
Expand All @@ -29,11 +29,11 @@
- name: Copy test vm domainxmls to the hypervisors
when: "'hypervisors' in group_names"
block:
- name: Copy vm.xml
- name: Copy vm.xml # noqa: risky-file-permissions
copy:
src: files/vm.xml
dest: /usr/share/testdata/
- name: Copy wrong_vm_config.xml
- name: Copy wrong_vm_config.xml # noqa: risky-file-permissions
copy:
src: files/wrong_vm_config.xml
dest: /usr/share/testdata/
Expand Down
2 changes: 1 addition & 1 deletion roles/ci_yocto/synchronise_vms/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
name: phc2sys
state: stopped
when: "'phc2sys' in services"
- name: Copy systemd service file to server
- name: Copy systemd service file to server # noqa: risky-file-permissions
template:
src: phc2sys.service.j2
dest: /etc/systemd/system/phc2sys.service
Expand Down
6 changes: 3 additions & 3 deletions roles/configure_ha/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
- name: Load distribution-specific variables
include_vars: "{{ seapath_distro }}.yml"

- name: Save cluster machine informations
- name: Save cluster machine informations # noqa: risky-file-permissions
template:
src: cluster.conf.j2
dest: /etc/cluster.conf
Expand Down Expand Up @@ -61,7 +61,7 @@
mode: 0400
when: inventory_hostname != play_hosts[0]

- name: Templating corosync.conf
- name: Templating corosync.conf # noqa: risky-file-permissions
template:
src: corosync.conf.j2
dest: /etc/corosync/corosync.conf
Expand Down Expand Up @@ -91,7 +91,7 @@
- groups['valid_machine'] is defined
- "'unconfigured_machine_group' in group_names"
block:
- name: Templating corosync.conf
- name: Templating corosync.conf # noqa: risky-file-permissions
template:
src: corosync.conf.j2
dest: /etc/corosync/corosync.conf
Expand Down
2 changes: 1 addition & 1 deletion roles/configure_libvirt_rdb_secret/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
- configure_libvirt_rdb_secret_create_secret_pool
- configure_libvirt_rdb_secret_secret_defined.stdout == ''
block:
- name: Copy libvirt xml secret file
- name: Copy libvirt xml secret file # noqa: risky-file-permissions
template:
src: secret.xml.j2
dest: /tmp/secret.xml
Expand Down
2 changes: 1 addition & 1 deletion roles/debian/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,7 @@
file:
path: /etc/apt/sources.list.d
state: absent
- name: Configure apt repositories
- name: Configure apt repositories # noqa: risky-file-permissions
template:
src: sources.list.j2
dest: /etc/apt/sources.list
Expand Down
34 changes: 17 additions & 17 deletions roles/debian_hardening/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
with_items: "{{ debian_hardening_kernel_params }}"
when: revert

- name: "Disable coredumps"
- name: "Disable coredumps" # noqa: risky-file-permissions
lineinfile:
dest: /etc/sysctl.d/50-coredump.conf
regexp: "^kernel.core_pattern=/dev/null$"
Expand All @@ -48,7 +48,7 @@
notify: Update sysfs values using sysctl
when: revert

- name: "Disable kexec"
- name: "Disable kexec" # noqa: risky-file-permissions
lineinfile:
dest: /etc/sysctl.d/50-kexec.conf
regexp: "^kernel.kexec_load_disabled=1$"
Expand All @@ -65,7 +65,7 @@
notify: Update sysfs values using sysctl
when: revert

- name: "Disable binfmt_misc"
- name: "Disable binfmt_misc" # noqa: risky-file-permissions
lineinfile:
dest: /etc/sysctl.d/50-binfmt_misc.conf
regexp: "^fs.binfmt_misc.status=0$"
Expand All @@ -82,7 +82,7 @@
notify: Update sysfs values using sysctl
when: revert

- name: "Install hardened sysfs rules"
- name: "Install hardened sysfs rules" # noqa: risky-file-permissions
copy:
src: sysctl/90-sysctl-hardening.conf
dest: /etc/sysctl.d/zz-sysctl-hardening.conf
Expand All @@ -95,7 +95,7 @@
notify: Update sysfs values using sysctl
when: revert

- name: "Install network hardened sysfs rules"
- name: "Install network hardened sysfs rules" # noqa: risky-file-permissions
copy:
src: sysctl/99-sysctl-network.conf
dest: /etc/sysctl.d/99-sysctl-network.conf
Expand All @@ -108,7 +108,7 @@
notify: Update sysfs values using sysctl
when: revert

- name: "Install random-root-passwd.service"
- name: "Install random-root-passwd.service" # noqa: risky-file-permissions
copy:
src: random-root-passwd.service
dest: /etc/systemd/system/random-root-passwd.service
Expand All @@ -131,7 +131,7 @@
state: absent
when: revert

- name: "Enable private TMPDIR"
- name: "Enable private TMPDIR" # noqa: risky-file-permissions
copy:
src: mktmpdir.sh
dest: /etc/profile.d/mktmpdir.sh
Expand All @@ -142,7 +142,7 @@
state: absent
when: revert

- name: "Set bash timeout to 300s"
- name: "Set bash timeout to 300s" # noqa: risky-file-permissions
copy:
src: terminal_idle.sh
dest: /etc/profile.d/terminal_idle.sh
Expand All @@ -153,7 +153,7 @@
state: absent
when: revert

- name: Install openssh hardening rules
- name: Install openssh hardening rules # noqa: risky-file-permissions
template:
src: ssh-audit_hardening.conf.j2
dest: /etc/ssh/sshd_config.d/ssh-audit_hardening.conf
Expand Down Expand Up @@ -222,7 +222,7 @@
ignore_errors: true
changed_when: false

- name: Disable require tty for cockpit
- name: Disable require tty for cockpit # noqa: risky-file-permissions
copy:
src: sudoers/cockpit
dest: /etc/sudoers.d/cockpit
Expand Down Expand Up @@ -267,22 +267,22 @@
- PASS_MAX_DAYS 90
when: revert

- name: Disable su
- name: Disable su # noqa: risky-file-permissions
copy:
src: hardened_pam_su
dest: /etc/pam.d/su
when: not revert
- name: Disable su-l
- name: Disable su-l # noqa: risky-file-permissions
copy:
src: hardened_pam_su
dest: /etc/pam.d/su-l
when: not revert
- name: Restore su pam setting
- name: Restore su pam setting # noqa: risky-file-permissions
copy:
src: default_pam_su
dest: /etc/pam.d/su
when: revert
- name: Restore su -l pam setting
- name: Restore su -l pam setting # noqa: risky-file-permissions
copy:
src: default_pam_su-l
dest: /etc/pam.d/su-l
Expand Down Expand Up @@ -325,7 +325,7 @@
mode: 0755
with_items: "{{ debian_hardening_hardened_services }}"

- name: Add systemd service hardening rules
- name: Add systemd service hardening rules # noqa: risky-file-permissions
copy:
src: "{{ item }}_hardening.conf"
dest: "/etc/systemd/system/{{ item }}.service.d/hardening.conf"
Expand Down Expand Up @@ -368,12 +368,12 @@
line: 'CLASS="--class gnu-linux --class gnu --class os"'
when: revert

- name: Copy syslog.conf
- name: Copy syslog.conf # noqa: risky-file-permissions
copy:
src: auditd/syslog.conf
dest: /etc/audit/plugins.d/syslog.conf

- name: Copy audit.rules
- name: Copy audit.rules # noqa: risky-file-permissions
copy:
src: auditd/audit.rules
dest: /etc/audit/rules.d/audit.rules
Expand Down
2 changes: 1 addition & 1 deletion roles/debian_hardening_physical_machine/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@
mode: 0755
with_items: "{{ debian_hardening_physical_machine_hardened_services }}"

- name: Add systemd service hardening rules for physical machines
- name: Add systemd service hardening rules for physical machines # noqa: risky-file-permissions
copy:
src: "{{ item }}_hardening.conf"
dest: "/etc/systemd/system/{{ item }}.service.d/hardening.conf"
Expand Down
2 changes: 1 addition & 1 deletion roles/debian_physical_machine/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@
set_fact:
debian_physical_machine_lvm_rebooter_log_path: "{{ debian_physical_machine_varlog_path.stdout }}"

- name: Copy rebooter.conf
- name: Copy rebooter.conf # noqa: risky-file-permissions
template:
src: initramfs-tools/conf.d/rebooter.conf.j2
dest: /etc/initramfs-tools/conf.d/rebooter.conf
Expand Down
8 changes: 4 additions & 4 deletions roles/debian_tests/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
owner: false
rsync_opts:
- "--exclude=*.j2"
- name: Copy Cukinia's tests templates
- name: Copy Cukinia's tests templates # noqa: risky-file-permissions
template:
src: cukinia-tests/cukinia/{{ item.src }}
dest: /etc/cukinia/{{ item.dest }}
Expand All @@ -32,7 +32,7 @@
owner: root
group: root
mode: 0755
- name: Copy Cukinia's includes
- name: Copy Cukinia's includes # noqa: risky-file-permissions
copy:
src: cukinia-tests/includes/
dest: /usr/share/cukinia/includes/
Expand All @@ -47,11 +47,11 @@
- name: Tasks only on hosts
when: "'hypervisors' in group_names"
block:
- name: Copy vm.xml
- name: Copy vm.xml # noqa: risky-file-permissions
copy:
src: cukinia-tests/vm_manager_testdata/vm.xml
dest: /usr/share/testdata
- name: Copy wrong_vm_config.xml
- name: Copy wrong_vm_config.xml # noqa: risky-file-permissions
copy:
src: cukinia-tests/vm_manager_testdata/wrong_vm_config.xml
dest: /usr/share/testdata
Expand Down
2 changes: 1 addition & 1 deletion roles/deploy_vms_cluster/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
vm_file: "{{ hostvars[item].vm_disk | default( deploy_vms_cluster_vms_disks_directory ~ '/' ~ item ~ '.qcow2') }}"
vm_file_dest: "{{ deploy_vms_cluster_qcow2tmpuploadfolder + '/os.qcow2' }}"
block:
- name: "Copy system disk on target for {{ item }}"
- name: "Copy system disk on target for {{ item }}" # noqa: risky-file-permissions
copy:
src: "{{ vm_file }}"
dest: "{{ vm_file_dest }}"
Expand Down
6 changes: 3 additions & 3 deletions roles/deploy_vms_standalone/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
- deploy_vms_standalone_qcow2tmpuploadfolder is defined
- deploy_vms_standalone_qcow2tmpuploadfolder != "/tmp"

- name: Copy the disk on target
- name: Copy the disk on target # noqa: risky-file-permissions
copy:
src: "{{ hostvars[item].vm_disk }}"
dest: "{{ deploy_vms_standalone_disk_pool }}/{{ hostvars[item].inventory_hostname }}.qcow2"
Expand All @@ -55,7 +55,7 @@
- item not in deploy_vms_standalone_all_vms.list_vms or (item in deploy_vms_standalone_all_vms.list_vms and hostvars[item].force is defined and hostvars[item].force)
loop: "{{ groups['VMs'] }}"

- name: Copy the gzipped disk on target
- name: Copy the gzipped disk on target # noqa: risky-file-permissions
copy:
src: "{{ hostvars[item].vm_disk }}"
dest: "{{ deploy_vms_standalone_disk_pool }}/{{ hostvars[item].inventory_hostname }}.img.gz"
Expand Down Expand Up @@ -86,7 +86,7 @@
loop: "{{ groups['VMs'] }}"
when: item not in deploy_vms_standalone_all_vms.list_vms or (item in deploy_vms_standalone_all_vms.list_vms and hostvars[item].force is defined and hostvars[item].force)

- name: Export VM config for debug in /tmp
- name: Export VM config for debug in /tmp # noqa: risky-file-permissions
template:
src: "{{ hostvars[item].vm_template }}"
dest: "/tmp/{{ hostvars[item].inventory_hostname }}.xml"
Expand Down
2 changes: 1 addition & 1 deletion roles/network_configovs/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
- name: Load distribution-specific variables
include_vars: "{{ seapath_distro }}.yml"

- name: Create OVS configuration
- name: Create OVS configuration # noqa: risky-file-permissions
template:
src: ovs_configuration.json.j2
dest: /etc/ovs_configuration.json
Expand Down
Loading