Do not create files without permissions control

ID

risky_file_permissions

Severity

low

Vendor

Ansible

Resource

General Security

Tags

reachable

Description

Do not create files without permissions control. Various modules that could end up creating new files on disk with permissions that might be too open, or unpredictable.

Learn more about this topic at Ansible risky file permissions.

Examples

---
- name: Unsafe example of using ini_file
  community.general.ini_file:
    path: foo
    create: true
    mode: preserve

Mitigation / Fix

---
- name: Safe example of using ini_file (1st solution)
  community.general.ini_file:
    path: foo
    create: false  # prevents creating a file with potentially insecure permissions
    mode: preserve

- name: Safe example of using ini_file (2nd solution)
  community.general.ini_file:
    path: foo
    mode: 0600  # explicitly sets the desired permissions, to make the results predictable
    mode: preserve