From ab82f5c7160ab4b57a7e6d02ea0b154cb99b34d4 Mon Sep 17 00:00:00 2001
From: Darshaka Pathirana <dpat@syn-net.org>
Date: Wed, 22 May 2019 01:12:20 +0200
Subject: [PATCH] Only set capability cap_dac_read_search+ep when "others" have
 no execute permission

In PR #42 we talked about that it should be possible to to allow all
users to run the restic binary. It was objected by @TheLastProject that
the capability cap_dac_read_search is set and that would give ANY user
read access to ANY file. To prevent that, the capability should only be
set if "other" users have no execute permission on the restic binary.

But on the the other hand, if a restic_group other than 'root' is set,
we need the capability, so setting it in that case.
---
 tasks/install.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tasks/install.yml b/tasks/install.yml
index dd11255..652b8b1 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -72,6 +72,11 @@
     owner: 'root'
     group: '{{ restic_group }}'
 
+- name: Read status of restic binary
+  stat:
+    path: '{{ restic_install_path }}/restic'
+  register: restic_binary
+
 - name: Install libcap on Debian systems
   apt:
     name: "libcap2-bin"
@@ -80,6 +85,7 @@
   when:
     - ansible_os_family | lower == "debian"
     - restic_user != 'root'
+    - restic_group != 'root'
 
 - name: Set proper capabilities for restic binary
   capabilities:
@@ -88,4 +94,6 @@
     state: present
   when:
     - restic_user != 'root'
+    - restic_group != 'root'
     - not ansible_check_mode
+    - not restic_binary.stat.xoth