From 4b98ed277600c248e10b624bdf318c3789c89100 Mon Sep 17 00:00:00 2001 From: Aaron D Borden Date: Thu, 14 Jan 2021 17:33:48 -0800 Subject: [PATCH] Fix tests dot env can contain secrets, limit its access. --- ansible/roles/software/ckan/catalog/ckan-app/tasks/web.yml | 4 ++-- ansible/roles/software/ckan/inventory/tasks/main.yml | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ansible/roles/software/ckan/catalog/ckan-app/tasks/web.yml b/ansible/roles/software/ckan/catalog/ckan-app/tasks/web.yml index 97532f1d6..fd5f7f685 100644 --- a/ansible/roles/software/ckan/catalog/ckan-app/tasks/web.yml +++ b/ansible/roles/software/ckan/catalog/ckan-app/tasks/web.yml @@ -17,9 +17,9 @@ template: src: app_env.j2 dest: /etc/ckan/.env - mode: 0644 + mode: 0640 owner: root - group: root + group: www-data become: true - name: Install supervisor diff --git a/ansible/roles/software/ckan/inventory/tasks/main.yml b/ansible/roles/software/ckan/inventory/tasks/main.yml index 510e9e60c..48e97ae06 100644 --- a/ansible/roles/software/ckan/inventory/tasks/main.yml +++ b/ansible/roles/software/ckan/inventory/tasks/main.yml @@ -116,11 +116,10 @@ template: src: app_env.j2 dest: /etc/ckan/.env - mode: 0644 + mode: 0640 owner: root - group: root + group: www-data become: true - when: inventory_next notify: - restart ckan