From f9dc9e4998573fd78ea36f8a47f8ad5ae05a2ab7 Mon Sep 17 00:00:00 2001
From: Joe Banks <joe@jb3.dev>
Date: Mon, 26 Aug 2024 16:30:15 +0100
Subject: Harden security permissions on git-mirrors owned files

---
 ansible/roles/git-mirrors/tasks/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'ansible')

diff --git a/ansible/roles/git-mirrors/tasks/main.yml b/ansible/roles/git-mirrors/tasks/main.yml
index 0c2f78b..0df9601 100644
--- a/ansible/roles/git-mirrors/tasks/main.yml
+++ b/ansible/roles/git-mirrors/tasks/main.yml
@@ -72,7 +72,7 @@
     dest: "{{ git_mirrors_base_dir }}/mirrored/{{ item.owner }}/{{ item.repo }}/description"
     owner: "{{ git_mirrors_user }}"
     group: "{{ git_mirrors_user }}"
-    mode: "0644"
+    mode: "0444"
   with_items:
     - "{{ git_mirrors_mirrored_repositories }}"
   tags:
@@ -82,7 +82,7 @@
   template:
     src: cgitrc.j2
     dest: /etc/cgitrc
-    mode: "0644"
+    mode: "0444"
     owner: root
     group: root
   tags:
@@ -107,7 +107,7 @@
   template:
     src: nginx-site.conf.j2
     dest: /etc/nginx/sites-available/cgit.conf
-    mode: "0644"
+    mode: "0444"
     owner: root
     group: root
   tags:
@@ -129,7 +129,7 @@
   template:
     src: update-mirrors.sh.j2
     dest: "{{ git_mirrors_base_dir }}/update-mirrors.sh"
-    mode: "0744"
+    mode: "0544"
     owner: "{{ git_mirrors_user }}"
     group: "{{ git_mirrors_user }}"
   tags:
-- 
cgit v1.2.3