From 270da668c32bef482b80433bb6be35f94ec590da Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Sun, 26 Nov 2023 15:35:51 +0000 Subject: [PATCH] pki: Prevent OpenBSD from changing permissions --- roles/pki/files/mtree.patch | 11 +++++++++++ roles/pki/tasks/main.yml | 6 ++++++ 2 files changed, 17 insertions(+) create mode 100644 roles/pki/files/mtree.patch diff --git a/roles/pki/files/mtree.patch b/roles/pki/files/mtree.patch new file mode 100644 index 0000000..04e6e89 --- /dev/null +++ b/roles/pki/files/mtree.patch @@ -0,0 +1,11 @@ +--- 4.4BSD.dist.orig Sat Nov 25 20:29:26 2023 ++++ 4.4BSD.dist Sat Nov 25 20:29:36 2023 +@@ -105,7 +105,7 @@ + + # ./etc/ssl + ssl +- private uname=root mode=0700 ++ private uname=root mode=0750 + .. + .. + diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml index b27715a..3e20d68 100644 --- a/roles/pki/tasks/main.yml +++ b/roles/pki/tasks/main.yml @@ -29,6 +29,12 @@ ansible.builtin.set_fact: pki_cacert_hash: "{{ result.stdout }}" +- name: Patch mtree to set correct permissions on /etc/ssl/private + ansible.posix.patch: + dest: /etc/mtree/4.4BSD.dist + src: mtree.patch + when: ansible_system == "OpenBSD" + - name: Fix private key directory permissions ansible.builtin.file: path: "{{ tls_private }}"