Weird directory permissions after directory was created by Ansible playbook

Written by - 0 comments

Published on - Listed in Ansible Linux


Weird directory permissions were found on a web server, which was deployed using an Ansible playbook. Although the user and group ownerships (www-data) were correctly applied, the initially defined permissions (2775) were completely off:

ck@web:~$ stat /var/log/application/
  File: /var/log/application/
  Size: 36864         Blocks: 80         IO Block: 4096   directory
Device: fd03h/64771d    Inode: 139082      Links: 2
Access: (5327/d-ws-w-rwt)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:16:13.659680824 +0200
 Birth: -

Instead of 2775 permissions, a weird 5327 mode was set on this directory.

Looking closer at the relevant playbook task, the directory is supposed to be created with a permission mode 2775:

  - name: Web-Application base directories
    file:
      path: '{{ item.path }}'
      state: directory
      owner: '{{ item.owner }}'
      group: '{{ item.group }}'
      mode: 2775
    with_items:
     - { path: '/var/www', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/monitoring', owner: 'root', group: 'root' }
     - { path: '/var/log/application', owner: 'www-data', group: 'www-data' }

The mode is set to 2775, so it should work, right? Did something change this directory after the playbook was run?

But another playbook run showed that the listed directories did not change, the permissions staid at this weird 5327 mode.

Looking once more at the Ansible file documentation, something very interesting was found:

For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.

This means that a mode of 0775 would have worked, but the leading 2(775) causes an decimal number and therefore this very unexpected result.

By surrounding the permission with quotes ('2775'), this should solve the problem:

  - name: Web-Application base directories
    file:
      path: '{{ item.path }}'
      state: directory
      owner: '{{ item.owner }}'
      group: '{{ item.group }}'
      mode: '2775'
    with_items:
     - { path: '/var/www', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/monitoring', owner: 'root', group: 'root' }
     - { path: '/var/log/application', owner: 'www-data', group: 'www-data' }

Another playbook run, and this time the directories were indeed changed:

TASK [Web-Application base directories] *********************************************************************
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application/login', u'group': u'www-data'})
changed: [web] =>(item={u'owner': u'www-data', u'path': u'/var/www/application/login-v2', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'root', u'path': u'/var/www/monitoring', u'group': u'root'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/log/application', u'group': u'www-data'})

And on the system itself, the correct permissions are finally showing up:

ck@web:~$ stat /var/log/application/
  File: /var/log/application/
  Size: 36864         Blocks: 80         IO Block: 4096   directory
Device: fd03h/64771d    Inode: 139082      Links: 2
Access: (2775/drwxrwsr-x)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:54:31.255760056 +0200
 Birth: -



Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder