Only set capability cap_dac_read_search+ep when "others" have no exec…

…ute permission In PR #42 we talked about that it should be possible to to allow all users to run the restic binary. It was objected by @TheLastProject that the capability cap_dac_read_search is set and that would give ANY user read access to ANY file. To prevent that, the capability should only be set if "other" users have no execute permission on the restic binary. But on the the other hand, if a restic_group other than 'root' is set, we need the capability, so setting it in that case.
paulfantom · May 21, 2019 · ab82f5c · ab82f5c
1 parent ec419b7
commit ab82f5c
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/tasks/install.yml b/tasks/install.yml
@@ -72,6 +72,11 @@
     owner: 'root'
     group: '{{ restic_group }}'
 
+- name: Read status of restic binary
+  stat:
+    path: '{{ restic_install_path }}/restic'
+  register: restic_binary
+
 - name: Install libcap on Debian systems
   apt:
     name: "libcap2-bin"
@@ -80,6 +85,7 @@
   when:
     - ansible_os_family | lower == "debian"
     - restic_user != 'root'
+    - restic_group != 'root'
 
 - name: Set proper capabilities for restic binary
   capabilities:
@@ -88,4 +94,6 @@
     state: present
   when:
     - restic_user != 'root'
+    - restic_group != 'root'
     - not ansible_check_mode
+    - not restic_binary.stat.xoth