Harden quarantine provisioning; enforce strict permissions and update Ansible and docs

2026-02-12 07:47:48 +01:00
parent 037b176892
commit 1768f61da1
44 changed files with 2587 additions and 698 deletions
--- a/scripts/ansible/upload-logger-provision.yml
+++ b/scripts/ansible/upload-logger-provision.yml
@@ -0,0 +1,63 @@
+---
+# Ansible playbook snippet to provision upload-logger directories and permissions.
+# Usage: ansible-playbook -i inventory scripts/ansible/upload-logger-provision.yml
+
+- hosts: web
+  become: true
+  vars:
+    upload_logger_root: "{{ playbook_dir | default('.') | dirname | realpath }}"
+    quarantine_dir: "{{ upload_logger_root }}/quarantine"
+    state_dir: "{{ upload_logger_root }}/state"
+    quarantine_owner: "root"
+    quarantine_group: "www-data"
+    quarantine_perms: "0700"
+    state_perms: "0750"
+    selinux_fcontext: "httpd_sys_rw_content_t"
+
+  tasks:
+    - name: Ensure quarantine directory exists
+      file:
+        path: "{{ quarantine_dir }}"
+        state: directory
+        owner: "{{ quarantine_owner }}"
+        group: "{{ quarantine_group }}"
+        mode: "{{ quarantine_perms }}"
+
+    - name: Ensure state directory exists
+      file:
+        path: "{{ state_dir }}"
+        state: directory
+        owner: "{{ quarantine_owner }}"
+        group: "{{ quarantine_group }}"
+        mode: "{{ state_perms }}"
+
+    - name: Ensure quarantined files have strict permissions (files -> 0600)
+      find:
+        paths: "{{ quarantine_dir }}"
+        file_type: file
+      register: quarantine_files
+
+    - name: Set strict mode on existing quarantined files
+      file:
+        path: "{{ item.path }}"
+        mode: '0600'
+        owner: "{{ quarantine_owner }}"
+        group: "{{ quarantine_group }}"
+      loop: "{{ quarantine_files.files }}"
+      when: quarantine_files.matched > 0
+
+    - name: Set SELinux fcontext for quarantine dir (when selinux enabled)
+      when: ansible_selinux.status == 'enabled'
+      sefcontext:
+        target: "{{ quarantine_dir }}(/.*)?"
+        setype: "{{ selinux_fcontext }}"
+
+    - name: Set SELinux fcontext for state dir (when selinux enabled)
+      when: ansible_selinux.status == 'enabled'
+      sefcontext:
+        target: "{{ state_dir }}(/.*)?"
+        setype: "{{ selinux_fcontext }}"
+
+    - name: Apply SELinux contexts
+      when: ansible_selinux.status == 'enabled'
+      command: restorecon -Rv {{ quarantine_dir }} {{ state_dir }}