Fix permissions for rootwrap files

At the moment we set 640 permissions to /etc/neutron/rootwrap.d folder. While it doesn't cause any issues right now, since root still able to read files in there, but this makes us to use root for services when it should not be needed. Also playbook is not idempotent, as it changes permissions for same directory multiple times during runtime. Task for setting rootwrap permissions is removed, since it's behaviour is weird by design of file module. It can be applied only to directories, meaning that either directory will not have execution permissions or all files inisde it will have executable flag. Change-Id: I577221e94d6cf9d940ee310757383cee24b80a03
2024-02-14 19:03:24 +01:00 · 2024-02-14 19:03:24 +01:00 · cdcf7f15b0
commit cdcf7f15b0
parent 70bb847605
1 changed files with 2 additions and 13 deletions
--- a/tasks/neutron_post_install.yml
+++ b/tasks/neutron_post_install.yml
@ -23,12 +23,10 @@
        state: "directory"
        owner: "{{ item.owner | default(neutron_system_user_name) }}"
        group: "{{ item.group | default(neutron_system_group_name) }}"
-        mode: "{{ item.mode | default('0755') }}"
+        mode: "{{ item.mode | default('0750') }}"
      with_items:
        - path: "{{ neutron_conf_version_dir }}/plugins"
-          mode: "0750"
        - path: "{{ neutron_conf_version_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}"
-          mode: "0750"
        - path: "{{ neutron_conf_version_dir }}/rootwrap.d"
          owner: "root"
          group: "root"
@ -41,7 +39,7 @@
        dest: "{{ neutron_conf_version_dir }}/rootwrap.d/"
        owner: "root"
        group: "root"
-        mode: "0644"
+        mode: "0640"
      with_fileglob:
        - rootwrap.d/*
      notify:
@ -138,15 +136,6 @@
      check_mode: false
      with_items: "{{ neutron_core_files }}"

-    # NOTE(cloudnull): This will ensure strong permissions on all rootwrap files.
-    - name: Set rootwrap.d permissions
-      file:
-        path: "{{ neutron_conf_version_dir }}/rootwrap.d"
-        owner: "root"
-        group: "root"
-        mode: "0640"
-        recurse: true
-
    - name: Copy neutron ml2 plugin config
      openstack.config_template.config_template:
        src: "{{ ('plugin_conf_bare' not in neutron_plugins[item]) | ternary(neutron_plugins[item].plugin_ini ~ '.j2', omit) }}"