a84b6847fc
The search for world-writable files is very intensive and causes some long delays when running playbooks. This patch makes it optional and updates the documentation to match. Change-Id: I206f75597c48023a889bd7027daff2eff82b1a16
25 lines
868 B
ReStructuredText
25 lines
868 B
ReStructuredText
---
|
|
id: V-72047
|
|
status: opt-in
|
|
tag: file_perms
|
|
---
|
|
|
|
The tasks in the security role examine the world-writable directories on the
|
|
system and report any directories that are not group-owned by the ``root``
|
|
user. Those directories appear in the Ansible output.
|
|
|
|
Deployers should review the list of directories and group owners to ensure
|
|
that they are appropriate for the directory. Unauthorized group ownership
|
|
could allow certain users to modify files from other users.
|
|
|
|
Searching the entire filesystem for world-writable directories will consume
|
|
a significant amount of disk I/O and could impact the performance of a
|
|
production system. It can also delay the playbook's completion. Therefore,
|
|
the search is disabled by default.
|
|
|
|
Deployers can enable the search by setting the following Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_find_world_writable_dirs: yes
|