From cdcf7f15b03a95e5ee8daac97be91d36a6af7243 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 14 Feb 2024 19:03:24 +0100 Subject: [PATCH] Fix permissions for rootwrap files At the moment we set 640 permissions to /etc/neutron/rootwrap.d folder. While it doesn't cause any issues right now, since root still able to read files in there, but this makes us to use root for services when it should not be needed. Also playbook is not idempotent, as it changes permissions for same directory multiple times during runtime. Task for setting rootwrap permissions is removed, since it's behaviour is weird by design of file module. It can be applied only to directories, meaning that either directory will not have execution permissions or all files inisde it will have executable flag. Change-Id: I577221e94d6cf9d940ee310757383cee24b80a03 --- tasks/neutron_post_install.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/tasks/neutron_post_install.yml b/tasks/neutron_post_install.yml index b4e239cb..331cfee7 100644 --- a/tasks/neutron_post_install.yml +++ b/tasks/neutron_post_install.yml @@ -23,12 +23,10 @@ state: "directory" owner: "{{ item.owner | default(neutron_system_user_name) }}" group: "{{ item.group | default(neutron_system_group_name) }}" - mode: "{{ item.mode | default('0755') }}" + mode: "{{ item.mode | default('0750') }}" with_items: - path: "{{ neutron_conf_version_dir }}/plugins" - mode: "0750" - path: "{{ neutron_conf_version_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" - mode: "0750" - path: "{{ neutron_conf_version_dir }}/rootwrap.d" owner: "root" group: "root" @@ -41,7 +39,7 @@ dest: "{{ neutron_conf_version_dir }}/rootwrap.d/" owner: "root" group: "root" - mode: "0644" + mode: "0640" with_fileglob: - rootwrap.d/* notify: @@ -138,15 +136,6 @@ check_mode: false with_items: "{{ neutron_core_files }}" - # NOTE(cloudnull): This will ensure strong permissions on all rootwrap files. - - name: Set rootwrap.d permissions - file: - path: "{{ neutron_conf_version_dir }}/rootwrap.d" - owner: "root" - group: "root" - mode: "0640" - recurse: true - - name: Copy neutron ml2 plugin config openstack.config_template.config_template: src: "{{ ('plugin_conf_bare' not in neutron_plugins[item]) | ternary(neutron_plugins[item].plugin_ini ~ '.j2', omit) }}"