60
10
In ansible, I can do this:
file: dest=/foo/bar/somedir owner=root group=apache mode=0775 recurse=yes
And it recursively sets the owner, group, and permissions to 0775 on all directories and files in that path. But I want to set directories to 0775, and files to 0664. Is there some way to make ansible do this?
Edward Ned Harvey
Posted 2016-01-11T12:08:43.447
Reputation: 1 070
44
file: dest=/foo/bar/somedir owner=root group=apache mode=u=rwX,g=rX,o=rX recurse=yes
will set directories to 755, and files to 644.
Adam Chance
Posted 2016-01-11T12:08:43.447
Reputation: 1 029
this does not work for files. – mirza – 2018-05-22T18:14:30.857
1@Adam Chance Where is the magic? How does specifying u,g,o make it different than the number (and where is 644 written?) – linuxbandit – 2018-07-12T09:04:44.520
4
The source code mentions that the symbolic u.g.o handling is the same as "man chmod"'s handling -- capital X has special handling based on the dir/file status and existing execute bits. https://github.com/ansible/ansible/blob/8606fb33f0e8954b588eaecec2d99b4a120fd4ad/lib/ansible/module_utils/basic.py#L1419-L1421
– Marc Tamsky – 2018-07-16T16:47:03.5103
In other words, X is x for directories, and nothing for files. And that's how chmod, not ansible treats the mode string. I wish S would be treated likewise.
2
But do note, that it makes files executable by owner executable by all.
– x-yuri – 2019-01-24T16:35:59.69025
The Ansible file/copy modules don't give you the granularity of specifying permissions based on file type so you'd most likely need to do this manually by doing something along these lines:
- name: Ensure directories are 0755 command: find {{ path }} -type d -exec chmod 0755 {} \; - name: Ensure files are 0644 command: find {{ path }} -type f -exec chmod 0644 {} \;These would have the effect of recursing through
{{ path }}and changing the permissions of every file or directory to the specified permissions.
Zulakis
Posted 2016-01-11T12:08:43.447
Reputation: 1 316
@luckytaxi the answer provided by gmangin does not recursively set the permissions of subdirectories. – Dejay Clayton – 2017-08-14T17:34:13.157
ahhhh you are correct! i saw the one recurse option but not the other one. – luckytaxi – 2017-08-15T17:38:29.627
10
If you want to use the module file in ansible, you can:
file: dest=/foo/bar/somedir owner=root group=apache mode=0644 recurse=yes
file: dest=/foo/bar/somedir owner=root group=apache mode=0775
With this method you first set all the file (recurse=yes) to '644' and then you set /foo/bar/somedir to '775'.
This is not perfect because it will change your directory permission each time you play your playbook. But at least it is idempotent, not like the module command.
If you don't want to have 'changed' status, you can use the module stat. It will list all the files and directory in /foo/bar/somedir so you register the answer and then make a loop on those files only.
gmangin
Posted 2016-01-11T12:08:43.447
Reputation: 117
7Your answer will set all subfiles and subdirectories to 644, while setting only the top-level directory to 775. The need is for all directories to be 775, including subdirectories. – Edward Ned Harvey – 2016-09-15T23:38:02.190
This suggestion is not idempotent. Setting permissions first to one value, and later to another, means that the permissions will be changed on every run. – Kevin Keane – 2019-04-29T21:51:20.430
5
I'm not sure how much sense it would be to set directories to 0775 (rwxrwxr-x) and files to 0644 (rw-r--r--): group-writeable directories but not files?
If you meant to set files to 0664 (rw-rw-r--) to ensure that files are not executable while directories are traversable then there is an elegant solution involving only one chmod command:
chmod -c -R ug=rw,o=r,a-x+X "{{top_dir}}"
Here is how it can be used in Ansible:
- name: recursive chmod example
command: |
chmod -c -R ug=rw,o=r,a-x+X "{{item}}"
register: chmod_status
changed_when: chmod_status.stdout != ""
with_items:
- "/home/user/sample/dir"
chmod -c prints all the changes that we can conveniently use to populate "changed" status in Ansible. I hope it make sense.
Onlyjob
Posted 2016-01-11T12:08:43.447
Reputation: 324
4
To only change mods when needed:
- name: make dirs 0755
command: find {{ your_path }} -type d ! -perm 0755 -exec chmod 0755 {} \;
- name: make files 0644
command: find {{ your_path }} -type f ! -perm 0644 -exec chmod 0644 {} \;
sjas
Posted 2016-01-11T12:08:43.447
Reputation: 323
0
As an example, as if "securing" a hypothetical Joomla! instance:
- name: Ensure to secure the Joomla installation
shell: "find . -type d -exec chmod 755 {} \\; && find . -type f -exec chmod 644 {} \\; && chown -R www-data: cache modules images media modules logs tmp administrator/cache"
args:
chdir: "{{ production_backend_root_path }}"
tags:
- joomla_secure
Where root owns all but a few designated directories owned by the webserver.
Moises Jafet
Posted 2016-01-11T12:08:43.447
Reputation: 1
Related: Change all folder permissions with one command.
– Scott – 2018-06-30T06:13:29.277