From ec419b70c3c8b513faa6af339d53881fcfc3d4d9 Mon Sep 17 00:00:00 2001 From: Darshaka Pathirana Date: Thu, 20 Dec 2018 15:46:39 +0100 Subject: [PATCH 1/2] Add restic_mode variable It should be possible to allow all users to run the restic binary. For that the variable restic_mode should be set to 0755 to set the permissions of the file accordingly. --- README.md | 1 + defaults/main.yml | 1 + tasks/install.yml | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d4b9cbc..585bb64 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults | `restic_group` | "root" | system group to run restic | | `restic_shell` | "/bin/false" | the shell for the restic user, change this if you want to be able to su to it | | `restic_install_path` | "/usr/local/bin" | directory where restic binary will be installed | +| `restic_mode` | 0750 | permissions of the restic binary, change to 0755 if you want to allow all users to run restic | | `restic_cron_mailto` | restic_user | who to mail results of the restic crons to, set to "" to not mail | | `restic_cron_stdout_file` | null | what file to log restic output to, null means include in mailto, use /dev/null to discard | | `restic_cron_stderr_file` | null | what file to log restic errors to, null means include in mailto, use /dev/null to discard | diff --git a/defaults/main.yml b/defaults/main.yml index 9749f2e..a3e67d7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,7 @@ restic_user: root restic_group: "{{ restic_user }}" restic_shell: "/bin/false" restic_home: "/var/lib/restic" +restic_mode: 0750 restic_install_path: '/usr/local/bin' diff --git a/tasks/install.yml b/tasks/install.yml index 321cdac..dd11255 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -68,7 +68,7 @@ copy: src: "/tmp/restic_{{ restic_version }}_{{ go_arch }}" dest: '{{ restic_install_path }}/restic' - mode: '0750' + mode: '{{ restic_mode }}' owner: 'root' group: '{{ restic_group }}' From ab82f5c7160ab4b57a7e6d02ea0b154cb99b34d4 Mon Sep 17 00:00:00 2001 From: Darshaka Pathirana Date: Wed, 22 May 2019 01:12:20 +0200 Subject: [PATCH 2/2] Only set capability cap_dac_read_search+ep when "others" have no execute permission In PR #42 we talked about that it should be possible to to allow all users to run the restic binary. It was objected by @TheLastProject that the capability cap_dac_read_search is set and that would give ANY user read access to ANY file. To prevent that, the capability should only be set if "other" users have no execute permission on the restic binary. But on the the other hand, if a restic_group other than 'root' is set, we need the capability, so setting it in that case. --- tasks/install.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/install.yml b/tasks/install.yml index dd11255..652b8b1 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -72,6 +72,11 @@ owner: 'root' group: '{{ restic_group }}' +- name: Read status of restic binary + stat: + path: '{{ restic_install_path }}/restic' + register: restic_binary + - name: Install libcap on Debian systems apt: name: "libcap2-bin" @@ -80,6 +85,7 @@ when: - ansible_os_family | lower == "debian" - restic_user != 'root' + - restic_group != 'root' - name: Set proper capabilities for restic binary capabilities: @@ -88,4 +94,6 @@ state: present when: - restic_user != 'root' + - restic_group != 'root' - not ansible_check_mode + - not restic_binary.stat.xoth