Infinite loop error in "find files with write-permissions for group" task

[907th]

We have implemented a faster way of finding files with invalid permissions in #208 and #209 recently. But today I was unable to run this task against a fresh Ubuntu 18.04 LXC container:

Error output:

failed: [a-new-lxc-container] (item=/usr/bin) => {"changed": false, "cmd": "find -L /usr/bin -perm /go+w -type f", "delta": "0:00:00.005482", "end": "2019-04-22 07:03:30.114919", "item": "/usr/bin", "msg": "non-zero return code", "rc": 1, "start": "2019-04-22 07:03:30.109437", "stderr": "find: File system loop detected; '/usr/bin/X11' is part of the same file system loop as '/usr/bin'.", "stderr_lines": ["find: File system loop detected; '/usr/bin/X11' is part of the same file system loop as '/usr/bin'."], "stdout": "", "stdout_lines": []}

The problem is that /usr/bin/X11 is a symlink to .:

root@a-new-lxc-container:~# ls -la /usr/bin/X11
lrwxrwxrwx 1 root root 1 Apr 19  2018 /usr/bin/X11 -> .

I'm not sure how to fix that.

[rndmh3ro]

Hey!

I thought I kept this in mind when implementing the faster way... Seems I didn't, sorry.

Can you try to add 2>&1 (to ignore errors of the command by redirecting the output) to the find command and see if this helps?

shell: "find -L {{ item }} -perm /go+w -type 2>&1

[907th]

@rndmh3ro This wouldn't help because find will still exit with status code 1.

$ find -L /usr/bin -perm /go+w -type f 2>&1
find: File system loop detected; ‘/usr/bin/X11’ is part of the same file system loop as ‘/usr/bin’.
$ echo $?
1

We can ignore the task error at all using ignore_errors: true Ansible option, but I'm not sure if this is a good solution.

[rndmh3ro]

I guess ignore_errors should work here. I'll have to try!

[907th]

It should definitely work, but it would ignore other important error types too.

[rndmh3ro]

Yes, we'll have to check if there are any errors in the command that are critical when missed. Right now I don't think that there are any.

[rndmh3ro]

I just checked everything again. ignore_errors is already set: https://github.com/dev-sec/ansible-os-hardening/pull/209/files#diff-1eae9960573e19749d15ef483b25b5c6R13

When I install xorg and then run the find command manually, I get the error you described:

root@c84132d1812e:/home/kitchen# find -L /usr/bin -perm /go+w -type f
find: File system loop detected; '/usr/bin/X11' is part of the same file system loop as '/usr/bin'.
find: File system loop detected; '/usr/bin/zzz' is part of the same file system loop as '/usr/bin'.

However when running the role, the error is ignored and the permissions are correctly set:

TASK [ansible-os-hardening : find files with write-permissions for group] ********************************************************************************************************************
ok: [localhost] => (item=/usr/local/sbin)                                                                                                                                                     
ok: [localhost] => (item=/usr/local/bin)                                                                                                                                                      
ok: [localhost] => (item=/usr/sbin)                                                                                                                                                           
failed: [localhost] (item=/usr/bin) => {"changed": false, "cmd": "find -L /usr/bin -perm /go+w -type f", "delta": "0:00:00.003832", "end": "2019-04-29 15:43:48.868872", "item": "/usr/bin", $
msg": "non-zero return code", "rc": 1, "start": "2019-04-29 15:43:48.865040", "stderr": "find: File system loop detected; '/usr/bin/X11' is part of the same file system loop as '/usr/bin'.\$
find: File system loop detected; '/usr/bin/zzz' is part of the same file system loop as '/usr/bin'.", "stderr_lines": ["find: File system loop detected; '/usr/bin/X11' is part of the same f$
le system loop as '/usr/bin'.", "find: File system loop detected; '/usr/bin/zzz' is part of the same file system loop as '/usr/bin'."], "stdout": "/usr/bin/zdump", "stdout_lines": ["/usr/bi$
/zdump"]}                                                                                                                                                                                     
ok: [localhost] => (item=/sbin)
ok: [localhost] => (item=/bin)
ok: [localhost] => (item=/home)                                                                                                                                                               
...ignoring          

TASK [ansible-os-hardening : minimize access on found files] ********************************************************************************************************************************$
changed: [localhost] => (item=[{'_ansible_parsed': True, 'stderr_lines': [u"find: File system loop detected; '/usr/bin/X11' is part of the same file system loop as '/usr/bin'.", u"find: Fil$
 system loop detected; '/usr/bin/zzz' is part of the same file system loop as '/usr/bin'."], u'changed': False, u'stdout': u'/usr/bin/zdump', '_ansible_item_result': True, u'msg': u'non-zer$
 return code', u'delta': u'0:00:00.003832', '_ansible_item_label': u'/usr/bin', u'end': u'2019-04-29 15:43:48.868872', '_ansible_no_log': False, u'failed': True, u'cmd': u'find -L /usr/bin $
perm /go+w -type f', 'item': u'/usr/bin', u'stderr': u"find: File system loop detected; '/usr/bin/X11' is part of the same file system loop as '/usr/bin'.\nfind: File system loop detected; $
/usr/bin/zzz' is part of the same file system loop as '/usr/bin'.", u'rc': 1, u'invocation': {u'module_args': {u'creates': None, u'executable': None, u'_uses_shell': True, u'_raw_params': u$
find -L /usr/bin -perm /go+w -type f', u'removes': None, u'argv': None, u'warn': True, u'chdir': None, u'stdin': None}}, u'start': u'2019-04-29 15:43:48.865040'}, u'/usr/bin/zdump'])        
                    

Are you running the latest master-version?

[907th]

@rndmh3ro No, I maintain a local copy of this role. Thanks for checking this!

[jeanmonet]

Hi, so just to be clear, can these errors be safely ignored?

find: File system loop detected; ‘/usr/bin/X11’ is part of the same file system loop as ‘/usr/bin’.
find: File system loop detected; ‘/bin/X11’ is part of the same file system loop as ‘/bin’.

[rndmh3ro]

Yes.

[jafaripur]

Same

failed: [my_host] (item=/usr/bin) => {
    "ansible_loop_var": "item", 
    "changed": false, 
    "cmd": "find -L /usr/bin -perm /go+w -type f", 
    "delta": "0:00:00.010052", 
    "end": "2021-02-03 15:45:01.993083", 
    "item": "/usr/bin", 
    "rc": 1, 
    "start": "2021-02-03 15:45:01.983031"
}

STDERR:

find: File system loop detected; ‘/usr/bin/X11’ is part of the same file system loop as ‘/usr/bin’.


MSG:

non-zero return code

[rndmh3ro]

@jafaripur you're probably using a very old version of the role. Can you update?