-
Notifications
You must be signed in to change notification settings - Fork 26
Add restic_mode variable #42
base: master
Are you sure you want to change the base?
Conversation
What would be the purpose of that? |
I sometimes want to allow all my users on the system to use the restic binary (mostly Linux Desktop systems). I then need |
Then what is the purpose of using ansible for that? This role is aimed primarily at server usage where you automate your backup configuration (that's why we have those cron file templates) and not at only providing restic binary. |
(Sorry for the delay, somehow missed your answer). I think I get your point, but in our scenario we (the admins) would like to be able to run Or do you think that allowing restic to be run as "ordinary" user is somehow risky? (Changing the mode of the binary is completely optional after all). |
I don't see any risk in running restic binary as an ordinary user and changing binary permissions to 0755 seems ok to me. @TheLastProject what do you think? |
cap_dac_read_search+ep is set currently, so that would give ANY user read access to ANY file. So we definitely shouldn't unless we make sure that's not set |
@TheLastProject Sorry, you lost me here. Why / Where are these capabilities set? Is this somehow specific to restic itself (shall we file a security bug there)? |
It's set here: ansible-restic/tasks/install.yml Lines 77 to 82 in 8fc1da0
Normally, it improves security, because restic could run as another user than root but still back up every file, see https://github.com/paulfantom/ansible-restic#security. However, if you give everyone execute permission, this becomes a serious security concern. I'm all for supporting a way to give everyone execute permission, but we need to make sure to unset it then. |
It should be possible to allow all users to run the restic binary. For that the variable restic_mode should be set to 0755 to set the permissions of the file accordingly.
…ute permission In PR paulfantom#42 we talked about that it should be possible to to allow all users to run the restic binary. It was objected by @TheLastProject that the capability cap_dac_read_search is set and that would give ANY user read access to ANY file. To prevent that, the capability should only be set if "other" users have no execute permission on the restic binary. But on the the other hand, if a restic_group other than 'root' is set, we need the capability, so setting it in that case.
Hey @paulfantom, @TheLastProject, sorry for the very long delay. What about only setting the capability when the "other" execute permission is not set? (I updated my PR (also rebased it on latest master)). |
Well, you'd also want to unset it if that bit is set, otherwise doing a rollout and then deciding "oh nvm I actually want to allow everyone to use it" will still open you to the same security issue. |
Oh, yes... Good point! I'll update my PR... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've made some remarks on the code. Please have a look, so I can update my PR. Thx!
@@ -80,6 +85,7 @@ | |||
when: | |||
- ansible_os_family | lower == "debian" | |||
- restic_user != 'root' | |||
- restic_group != 'root' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TheLastProject I think this line is wrong too, right? libcap2-bin
should be installed if restic_user OR restic_group are not 'root', like this:
- restic_user != 'root' or restic_group != 'root'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is @paulfantom's code, but it seems to me that that indeed should be changed.
@@ -88,4 +94,6 @@ | |||
state: present | |||
when: | |||
- restic_user != 'root' | |||
- restic_group != 'root' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as above.
@@ -88,4 +94,6 @@ | |||
state: present | |||
when: | |||
- restic_user != 'root' | |||
- restic_group != 'root' | |||
- not ansible_check_mode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TheLastProject This does not come from my PR, but still: what is this line for? The tasks are always run when not ansible_check_mode, no? Did I make a mistake in my thinking?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.. and skipped when in Check/Test-Mode.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's just to not fail if the capabilities are not set
And: shouldn't we also unset the capability when owner and group are 'root' (again)? (I so sorry for this comment flood... ) |
Well, yup, we talked about that:
EDIT: Actually I misread. When owner and group are root there are read rights for anything anyway, but it couldn't hurt just for the sake of consistency I suppose. |
It should be possible to allow all users to run the restic binary.
For that the variable restic_mode should be set to 0755 to set the
permissions of the file accordingly.