[openstack-dev] [openstack-ansible] restrictive umask / file permissions in target hosts

Major Hayden major at mhtx.net
Mon Jul 17 21:13:06 UTC 2017

On 07/04/2017 03:54 AM, Markus Zoeller wrote:
> How do you deal with hosts which have a restrictive umask of 077
> *before* openstack-ansible starts the setup? Do you start with the
> default umask of 022 and opt-in later to that security hardening[1]?

We don't test for that in the OpenStack-Ansible gates since those settings from openstack-ansible-security/ansible-hardening are disabled by default. It's possible to start with 022 and switch to 077 later, but that could cause additional problems.

> What's the development policy of openstack-ansible regarding setting
> file or directory permissions in tasks?
> * is a umask value of 022 assumed for tasks to work?


> * should tasks always explicitly set the file/dir mode?

They certainly should, and if they don't, we should adjust those tasks. I'd rather be as explicit as possible to reduce the chances of problems down the road if distribution defaults change.

Major Hayden

More information about the OpenStack-dev mailing list