Ansible troubleshooting - Error 208: risky-file-permissions

Ansible Error 208, "`risky-file-permissions`," warns against insecure file permissions set by modules like ansible.builtin.copy or community.general.ini_file.

Introduction

Ansible, the robust automation tool, empowers users to manage configurations, deploy software, and automate a wide range of tasks with ease. However, ensuring the security and predictability of file permissions when creating or manipulating files is crucial to maintaining a stable and safe environment. In this article, we’ll explore Ansible Error 208, “risky-file-permissions,” in [Ansible-Lint](/articles/ansible-lint) which focuses on the risks associated with modules that can create or modify files with potentially insecure or unpredictable permissions. We’ll discuss how to use these modules safely and mitigate potential security issues in your Ansible playbooks.

The Problem: Risky File Permissions

Ansible Error 208, “risky-file-permissions,” serves as a reminder of the potential security risks posed by modules that can create or modify files with overly open or unpredictable permissions. This rule is triggered by various modules, such as ansible.builtin.copy, ansible.builtin.file, community.general.archive, and others. If the proper arguments are not used with these modules, it can result in files on disk having insecure permissions.

Problematic Code Example:

``yaml


---
name: Example error 208
  hosts: all
  tasks:
    - name: Unsafe example of using ini_file
      community.general.ini_file:
        path: foo
        create: true

In the problematic code above, the ini_file module is used with the create argument set to true, potentially creating a file with insecure permissions, depending on the system settings.



Output:

`bash


WARNING  Listing 2 violation(s) that are fatal
args[module]: missing required arguments: section (warning)
208.yml:5 Task/Handler: Unsafe example of using ini_file

risky-file-permissions: File permissions unset or incorrect.
208.yml:5 Task/Handler: Unsafe example of using ini_file

Read documentation for instructions on how to ignore specific rule violations.

                       Rule Violation Summary                        
 count tag                    profile rule associated tags           
     1 risky-file-permissions safety  unpredictability               
     1 args[module]                   syntax, experimental (warning) 

Failed: 1 failure(s), 1 warning(s) on 1 files. Last profile that met the validation criteria was 'moderate'. Rating: 2/5 star

Modules that are checked

Modules that are checked:

[ansible.builtin.assemble](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/assemble_module.html)

[ansible.builtin.copy](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html)

[ansible.builtin.file](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html)

[ansible.builtin.get_url](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html)

[ansible.builtin.replace](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/replace_module.htm