Weird directory permissions after directory was created by Ansible playbook

Written by - 0 comments

Published on June 1st 2021 - Listed in Ansible Linux


Weird directory permissions were found on a web server, which was deployed using an Ansible playbook. Although the user and group ownerships (www-data) were correctly applied, the initially defined permissions (2775) were completely off:

ck@web:~$ stat /var/log/application/
  File: /var/log/application/
  Size: 36864         Blocks: 80         IO Block: 4096   directory
Device: fd03h/64771d    Inode: 139082      Links: 2
Access: (5327/d-ws-w-rwt)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:16:13.659680824 +0200
 Birth: -

Instead of 2775 permissions, a weird 5327 mode was set on this directory.

Looking closer at the relevant playbook task, the directory is supposed to be created with a permission mode 2775:

  - name: Web-Application base directories
    file:
      path: '{{ item.path }}'
      state: directory
      owner: '{{ item.owner }}'
      group: '{{ item.group }}'
      mode: 2775
    with_items:
     - { path: '/var/www', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/monitoring', owner: 'root', group: 'root' }
     - { path: '/var/log/application', owner: 'www-data', group: 'www-data' }

The mode is set to 2775, so it should work, right? Did something change this directory after the playbook was run?

But another playbook run showed that the listed directories did not change, the permissions staid at this weird 5327 mode.

Looking once more at the Ansible file documentation, something very interesting was found:

For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.

This means that a mode of 0775 would have worked, but the leading 2(775) causes an decimal number and therefore this very unexpected result.

By surrounding the permission with quotes ('2775'), this should solve the problem:

  - name: Web-Application base directories
    file:
      path: '{{ item.path }}'
      state: directory
      owner: '{{ item.owner }}'
      group: '{{ item.group }}'
      mode: '2775'
    with_items:
     - { path: '/var/www', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/monitoring', owner: 'root', group: 'root' }
     - { path: '/var/log/application', owner: 'www-data', group: 'www-data' }

Another playbook run, and this time the directories were indeed changed:

TASK [Web-Application base directories] *********************************************************************
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application/login', u'group': u'www-data'})
changed: [web] =>(item={u'owner': u'www-data', u'path': u'/var/www/application/login-v2', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'root', u'path': u'/var/www/monitoring', u'group': u'root'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/log/application', u'group': u'www-data'})

And on the system itself, the correct permissions are finally showing up:

ck@web:~$ stat /var/log/application/
  File: /var/log/application/
  Size: 36864         Blocks: 80         IO Block: 4096   directory
Device: fd03h/64771d    Inode: 139082      Links: 2
Access: (2775/drwxrwsr-x)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:54:31.255760056 +0200
 Birth: -



Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.