Weird directory permissions after directory was created by Ansible playbook

Written by - 0 comments

Published on - Listed in Ansible Linux

Weird directory permissions were found on a web server, which was deployed using an Ansible playbook. Although the user and group ownerships (www-data) were correctly applied, the initially defined permissions (2775) were completely off:

ck@web:~$ stat /var/log/application/
  File: /var/log/application/
  Size: 36864         Blocks: 80         IO Block: 4096   directory
Device: fd03h/64771d    Inode: 139082      Links: 2
Access: (5327/d-ws-w-rwt)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:16:13.659680824 +0200
 Birth: -

Instead of 2775 permissions, a weird 5327 mode was set on this directory.

Looking closer at the relevant playbook task, the directory is supposed to be created with a permission mode 2775:

  - name: Web-Application base directories
    file:
      path: '{{ item.path }}'
      state: directory
      owner: '{{ item.owner }}'
      group: '{{ item.group }}'
      mode: 2775
    with_items:
     - { path: '/var/www', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/monitoring', owner: 'root', group: 'root' }
     - { path: '/var/log/application', owner: 'www-data', group: 'www-data' }

The mode is set to 2775, so it should work, right? Did something change this directory after the playbook was run?

But another playbook run showed that the listed directories did not change, the permissions staid at this weird 5327 mode.

Looking once more at the Ansible file documentation, something very interesting was found:

For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777) or quote it (like '644' or '1777') so Ansible receives a string and can do its own conversion from string into number.
Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results.

This means that a mode of 0775 would have worked, but the leading 2(775) causes an decimal number and therefore this very unexpected result.

By surrounding the permission with quotes ('2775'), this should solve the problem:

  - name: Web-Application base directories
    file:
      path: '{{ item.path }}'
      state: directory
      owner: '{{ item.owner }}'
      group: '{{ item.group }}'
      mode: '2775'
    with_items:
     - { path: '/var/www', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/application/login-v2', owner: 'www-data', group: 'www-data' }
     - { path: '/var/www/monitoring', owner: 'root', group: 'root' }
     - { path: '/var/log/application', owner: 'www-data', group: 'www-data' }

Another playbook run, and this time the directories were indeed changed:

TASK [Web-Application base directories] *********************************************************************
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/www/application/login', u'group': u'www-data'})
changed: [web] =>(item={u'owner': u'www-data', u'path': u'/var/www/application/login-v2', u'group': u'www-data'})
changed: [web] => (item={u'owner': u'root', u'path': u'/var/www/monitoring', u'group': u'root'})
changed: [web] => (item={u'owner': u'www-data', u'path': u'/var/log/application', u'group': u'www-data'})

And on the system itself, the correct permissions are finally showing up:

ck@web:~$ stat /var/log/application/
  File: /var/log/application/
  Size: 36864         Blocks: 80         IO Block: 4096   directory
Device: fd03h/64771d    Inode: 139082      Links: 2
Access: (2775/drwxrwsr-x)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2021-06-01 13:41:05.564182781 +0200
Modify: 2021-06-01 13:16:13.659680824 +0200
Change: 2021-06-01 13:54:31.255760056 +0200
 Birth: -



Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

Blog Tags:

AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder