Missing 'mode' on file copy can lead to too restrictive default permissions

[geerlingguy]

My CI jobs just started failing after Ansible 2.9.12 was released.

I noticed the following failure:

TASK [Verify Apache is serving web requests.] **********************************
fatal: [instance]: FAILED! => {"changed": false, "connection": "close", "content": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access /index.html\non this server.<br />\n</p>\n</body></html>\n", "content_length": "219", "content_type": "text/html; charset=iso-8859-1", "date": "Fri, 14 Aug 2020 15:07:32 GMT", "elapsed": 0, "msg": "Status code was 403 and not [200]: HTTP Error 403: Forbidden", "redirected": false, "server": "Apache/2.4.37 (centos)", "status": 403, "url": "http://localhost/"}

But locally (where I had 2.9.11) it was not failing. It was not until after scanning the rest of the failed job logs that I noticed:

    TASK [Copy a web page.] ********************************************************
    [WARNING]: File '/var/www/html/index.html' created with default permissions
        '600'. The previous default was '666'. Specify 'mode' to avoid this warning.
        changed: [instance]

This seems to be a major breaking change, as I still have a number of file, copy, template, etc. tasks which do not explicitly define a mode, and relied on the default behavior. It looks like others have been hitting this problem too: ansible/ansible#71200

I'm not sure if the default will be changed back, but I guess in general, the best option is to always explicitly define mode now, since the system default will not be used in the name of security.

[dvallis]

I've been trying to figure out why a certain playbook wouldn't run. I get the exact error ""The previous default was '666'. Specify 'mode' to avoid this warning." I was on ansible 2.9.12. Problem started a week ago, so it must be this.

What ansible version should I revert to so this error does not happen? Trial and error is taking forever as each time the Playbook fails it breaks networking and apt-get on the target server, so I have to re-install Ubuntu.

[dvallis]

FYI, anyone with a playbook broken because of this update the solution is

$pip install ansible==2.9.10

Took me a frigging WEEK to figure out this was the root cause. Grrr.

[yaobinwen-mvs]

@dvallis According to the Porting Guide 2.9: Change to Default File Permissions, the default permission was changed to address the security issue CVE-2020-1736:

To address CVE-2020-1736, the default permissions for certain files created by Ansible using atomic_move() were changed from 0o666 to 0o600 starting with Ansible 2.9.12.

According to ansible/ansible#67794 (comment), the developers seem to be looking for a less disruptive solution now.

[ivan-at-wiris]

🤦 Facepalm