Ensure managed sudoers config files have 0440 permissions (#4814) (#4827)

* Ensure sudoers config files are created with 0440 permissions to appease visudo validation * Remove change not required by the bugfix * Add changelog fragment for 4814 sudoers file permissions * Update changelogs/fragments/4814-sudoers-file-permissions.yml Co-authored-by: Felix Fontein <felix@fontein.de> * Have less oct casting Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit 2d1e58663c) Co-authored-by: Jon Ellis <ellis.jp@gmail.com>
2026-05-07 22:02:50 +00:00 · 2022-06-12 08:59:48 +02:00
parent a11b8fd517
commit 79d85cc83c
3 changed files with 24 additions and 1 deletions
--- a/tests/integration/targets/sudoers/tasks/main.yml
+++ b/tests/integration/targets/sudoers/tasks/main.yml
@@ -29,6 +29,11 @@
    commands: /usr/local/bin/command
  register: rule_1

+- name: Stat my-sudo-rule-1 file
+  ansible.builtin.stat:
+    path: "{{ sudoers_path }}/my-sudo-rule-1"
+  register: rule_1_stat
+
 - name: Grab contents of my-sudo-rule-1
  ansible.builtin.slurp:
    src: "{{ sudoers_path }}/my-sudo-rule-1"
@@ -132,6 +137,13 @@

 # Run assertions

+- name: Check rule 1 file stat
+  ansible.builtin.assert:
+    that:
+      - rule_1_stat.stat.exists
+      - rule_1_stat.stat.isreg
+      - rule_1_stat.stat.mode == '0440'
+
 - name: Check changed status
  ansible.builtin.assert:
    that: