Weird directory permissions were found on a web server, which was deployed using an Ansible playbook. Although the user and group ownerships (www-data) were correctly applied, the initially defined permissions (2775) were completely off:
ck@web:~$ stat /var/log/application/
File: /var/log/application/
Size: 36864 Blocks: 80 IO Block: 4096 directory
Device: fd03h/64771d Inode: 139082 Links: 2
Access: (5327/d-ws-w-rwt) Uid: ( 33/www-data) Gid: ( 33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:16:13.659680824 +0200
Birth: -
Instead of 2775 permissions, a weird 5327 mode was set on this directory.
Looking closer at the relevant playbook task, the directory is supposed to be created with a permission mode 2775:
- name: Web-Application base directories
file:
path: '{{ item.path }}'
state: directory
owner: '{{ item.owner }}'
group: '{{ item.group }}'
mode: 2775
with_items:
- { path: '/var/www', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/monitoring', owner: 'root', group: 'root' }
- { path: '/var/log/application', owner: 'www-data', group: 'www-data' }
The mode is set to 2775, so it should work, right? Did something change this directory after the playbook was run?
But another playbook run showed that the listed directories did not change, the permissions staid at this weird 5327 mode.
Looking once more at the Ansible file documentation, something very interesting was found:
For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.
This means that a mode of 0775 would have worked, but the leading 2(775) causes an decimal number and therefore this very unexpected result.
By surrounding the permission with quotes ('2775'), this should solve the problem:
- name: Web-Application base directories
file:
path: '{{ item.path }}'
state: directory
owner: '{{ item.owner }}'
group: '{{ item.group }}'
mode: '2775'
with_items:
- { path: '/var/www', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
- { path: '/var/www/monitoring', owner: 'root', group: 'root' }
- { path: '/var/log/application', owner: 'www-data', group: 'www-data' }
Another playbook run, and this time the directories were indeed changed:
TASK [Web-Application base directories] *********************************************************************
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application/login', u'group': u'www-data'})
changed: [web] =>(item={u'owner': u'www-data', u'path': u'/var/www/application/login-v2', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'root', u'path': u'/var/www/monitoring', u'group': u'root'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/log/application', u'group': u'www-data'})
And on the system itself, the correct permissions are finally showing up:
ck@web:~$ stat /var/log/application/
File: /var/log/application/
Size: 36864 Blocks: 80 IO Block: 4096 directory
Device: fd03h/64771d Inode: 139082 Links: 2
Access: (2775/drwxrwsr-x) Uid: ( 33/www-data) Gid: ( 33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:54:31.255760056 +0200
Birth: -
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder