6.2.9 and 6.2.11 are following links, changing permissions outside of /home/myuser

[mballon]

Describe the Issue
In the case where a user has python venv installed under /home/myuser there are links to files outside the home directory such as /usr/lib/python3.6/site-packages/six.py. In this case rules 6.2.9 and 6.2.11 (at least) are removing the "other" permissions on the file.

Expected Behavior
The task should not follow links and I agree that's it's coded not to, although it is in this case. I have tried changing from "command" module to both shell and raw with no luck, the link is still followed. Unfortunate I cannot reproduce outside of Ansible. Running the find manually does not include links.

Actual Behavior
user has a link from /home/myuser/site-packages/urllib3/packages/six.py to /usr/lib/python3.6/site-packages/six.py and the file that is linked to has other-read removed.

[root@invhost/]# ls -l /home/myuser/site-packages/urllib3/packages/six.py
lrwxrwxrwx 1 myuser users 39 Feb 23 2023 /home/myuser/site-packages/urllib3/packages/six.py -> /usr/lib/python3.6/site-packages/six.py

[root@invhost/]# ls -l /usr/lib/python3.6/site-packages/six.py
-rw-r--r--. 1 root root 30888 Aug 12 2018 /usr/lib/python3.6/site-packages/six.py [BEFORE]

TASK [rhel8-cis-2.0.0 : 6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive] ***
changed: [invhost] => (item=['/home/myuser', {'etype': 'group', 'mode': 'rx'}])
changed: [invhost] => (item=['/home/myuser', {'etype': 'other', 'mode': '0'}])

[root@invhost/]# ls -l /usr/lib/python3.6/site-packages/six.py
-rw-r-----. 1 root root 30888 Aug 12 2018 /usr/lib/python3.6/site-packages/six.py [AFTER]

Control(s) Affected
What controls are being affected by the issue
6.2.9 6.2.11

Environment (please complete the following information):

• branch being used: local copy forked from main
• Ansible Version: 2.10.17
• Host Python Version: 3.6.8
• Ansible Server Python Version: 3.6.8
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Looking to see if anyone else is seeing this for now, don't have a solution.

[mballon]

Looks like it's actually the file/acl module that does the change? although why are directories outside of /home in the rhel_08_6_2_9_patch_audit dict.

    - name: "6.2.9 | PATCH | Ensure all users' home directories exist"
      ansible.builtin.file:
          path: "{{ item.0 }}"

recurse: true

          recurse: false
          mode: a-st,g-w,o-rwx
      register: rhel_08_6_2_9_patch
      when:
          - not ansible_check_mode
          - item.1.exists
      with_together:
          - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
          - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
      loop_control:
          label: "{{ item.0 }}"

[mballon]

I can work around this with changing all the recurse from true to false in 6.2.x.yml. Until I can pull all the code out and run 6.2.x on its own that's what I'm going with.

[uk-bolly]

hi @mballon

Thank you for taking the time to raise this issue. I have incorporated a fix into a new branch Oct23_issues, which i hope to get merged over the next couple of days.

kindest regards

uk-bolly