From 454d4c6d30eba1044c047083d0d0c8ea1938e323 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Wed, 26 May 2021 13:47:34 +0200
Subject: [PATCH] explicit permissions for APT GPG keys

---
 apt/tasks/evolix_public.yml      | 2 ++
 docker-host/tasks/main.yml       | 2 ++
 elasticsearch/tasks/packages.yml | 2 ++
 evolinux-base/tasks/hardware.yml | 4 ++++
 filebeat/tasks/main.yml          | 2 ++
 fluentd/tasks/main.yml           | 2 ++
 jenkins/tasks/main.yml           | 2 ++
 kibana/tasks/main.yml            | 2 ++
 logstash/tasks/main.yml          | 2 ++
 lxc-php/tasks/php74.yml          | 4 ++++
 metricbeat/tasks/main.yml        | 2 ++
 mongodb/tasks/main_buster.yml    | 2 ++
 newrelic/tasks/sources.yml       | 2 ++
 nodejs/tasks/main.yml            | 3 +++
 nodejs/tasks/yarn.yml            | 3 +++
 percona/tasks/main.yml           | 2 ++
 php/tasks/sury_pre.yml           | 2 ++
 postgresql/tasks/pgdg-repo.yml   | 2 ++
 18 files changed, 42 insertions(+)

diff --git a/apt/tasks/evolix_public.yml b/apt/tasks/evolix_public.yml
index eefd008e..00067f46 100644
--- a/apt/tasks/evolix_public.yml
+++ b/apt/tasks/evolix_public.yml
@@ -14,6 +14,8 @@
     dest: /etc/apt/trusted.gpg.d/reg.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
   tags:
     - apt
 
diff --git a/docker-host/tasks/main.yml b/docker-host/tasks/main.yml
index c31405b8..d3a41a28 100644
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@@ -33,6 +33,8 @@
     dest: /etc/apt/trusted.gpg.d/docker-debian.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
 
 - name: Install docker and python-docker
   apt:
diff --git a/elasticsearch/tasks/packages.yml b/elasticsearch/tasks/packages.yml
index 57beb0cc..da154593 100644
--- a/elasticsearch/tasks/packages.yml
+++ b/elasticsearch/tasks/packages.yml
@@ -23,6 +23,8 @@
     dest: /etc/apt/trusted.gpg.d/elastic.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
   tags:
     - elasticsearch
     - packages
diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml
index 478e5015..9ece740e 100644
--- a/evolinux-base/tasks/hardware.yml
+++ b/evolinux-base/tasks/hardware.yml
@@ -49,6 +49,8 @@
         dest: /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.asc
         force: yes
         mode: "0644"
+        owner: root
+        group: root
 
     - name: Add HPE repository
       apt_repository:
@@ -114,6 +116,8 @@
         dest: /etc/apt/trusted.gpg.d/hwraid.le-vert.net.asc
         force: yes
         mode: "0644"
+        owner: root
+        group: root
       when: ansible_distribution_major_version is version('9', '>=')
 
     - name: Add HW tool repository
diff --git a/filebeat/tasks/main.yml b/filebeat/tasks/main.yml
index 4594d5ed..034808d3 100644
--- a/filebeat/tasks/main.yml
+++ b/filebeat/tasks/main.yml
@@ -23,6 +23,8 @@
     dest: /etc/apt/trusted.gpg.d/elastic.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
   tags:
     - filebeat
     - packages
diff --git a/fluentd/tasks/main.yml b/fluentd/tasks/main.yml
index 4e165e2b..159748e6 100644
--- a/fluentd/tasks/main.yml
+++ b/fluentd/tasks/main.yml
@@ -15,6 +15,8 @@
     dest: /etc/apt/trusted.gpg.d/fluentd.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
   tags:
     - packages
     - fluentd
diff --git a/jenkins/tasks/main.yml b/jenkins/tasks/main.yml
index e6533e9d..da23e5f5 100644
--- a/jenkins/tasks/main.yml
+++ b/jenkins/tasks/main.yml
@@ -17,6 +17,8 @@
     dest: /etc/apt/trusted.gpg.d/jenkins.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
 
 - name: Add jenkins APT repository
   apt_repository:
diff --git a/kibana/tasks/main.yml b/kibana/tasks/main.yml
index 44bed1a6..1ed342e0 100644
--- a/kibana/tasks/main.yml
+++ b/kibana/tasks/main.yml
@@ -23,6 +23,8 @@
     dest: /etc/apt/trusted.gpg.d/elastic.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
   tags:
     - kibana
     - packages
diff --git a/logstash/tasks/main.yml b/logstash/tasks/main.yml
index 0b58dbe8..4ae70623 100644
--- a/logstash/tasks/main.yml
+++ b/logstash/tasks/main.yml
@@ -23,6 +23,8 @@
     dest: /etc/apt/trusted.gpg.d/elastic.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
   tags:
     - logstash
     - packages
diff --git a/lxc-php/tasks/php74.yml b/lxc-php/tasks/php74.yml
index 43de6f3c..2c4538e8 100644
--- a/lxc-php/tasks/php74.yml
+++ b/lxc-php/tasks/php74.yml
@@ -21,12 +21,16 @@
     src: reg.asc
     dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc
     mode: "0644"
+    owner: root
+    group: root
 
 - name: copy packages.sury.org GPG Key
   copy:
     src: sury.gpg
     dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg
     mode: "0644"
+    owner: root
+    group: root
 
 - name: "{{ lxc_php_version }} - Update APT cache"
   lxc_container:
diff --git a/metricbeat/tasks/main.yml b/metricbeat/tasks/main.yml
index 14357f18..640a8902 100644
--- a/metricbeat/tasks/main.yml
+++ b/metricbeat/tasks/main.yml
@@ -23,6 +23,8 @@
     dest: /etc/apt/trusted.gpg.d/elastic.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
   tags:
     - metricbeat
     - packages
diff --git a/mongodb/tasks/main_buster.yml b/mongodb/tasks/main_buster.yml
index 9baf7c8a..2e62255a 100644
--- a/mongodb/tasks/main_buster.yml
+++ b/mongodb/tasks/main_buster.yml
@@ -12,6 +12,8 @@
     dest: /etc/apt/trusted.gpg.d/mongodb-server-4.2.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
 
 - name: enable APT sources list
   apt_repository:
diff --git a/newrelic/tasks/sources.yml b/newrelic/tasks/sources.yml
index 330f1ecf..08a3ae51 100644
--- a/newrelic/tasks/sources.yml
+++ b/newrelic/tasks/sources.yml
@@ -12,6 +12,8 @@
     dest: /etc/apt/trusted.gpg.d/newrelic.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
 
 - name: Install NewRelic repository
   apt_repository:
diff --git a/nodejs/tasks/main.yml b/nodejs/tasks/main.yml
index d0aa18b8..96fb2f93 100644
--- a/nodejs/tasks/main.yml
+++ b/nodejs/tasks/main.yml
@@ -23,6 +23,9 @@
   copy:
     src: nodesource.asc
     dest: /etc/apt/trusted.gpg.d/nodesource.asc
+    mode: "0644"
+    owner: root
+    group: root
   tags:
     - system
     - packages
diff --git a/nodejs/tasks/yarn.yml b/nodejs/tasks/yarn.yml
index 05438e64..31bce9c6 100644
--- a/nodejs/tasks/yarn.yml
+++ b/nodejs/tasks/yarn.yml
@@ -15,6 +15,9 @@
   copy:
     src: yarnpkg.asc
     dest: /etc/apt/trusted.gpg.d/yarnpkg.asc
+    mode: "0644"
+    owner: root
+    group: root
   tags:
     - system
     - packages
diff --git a/percona/tasks/main.yml b/percona/tasks/main.yml
index b60a88a8..dc182e10 100644
--- a/percona/tasks/main.yml
+++ b/percona/tasks/main.yml
@@ -15,6 +15,8 @@
     dest: /etc/apt/trusted.gpg.d/percona.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
 
 - name: Check if percona-release is installed
   shell: "set -o pipefail && dpkg -l percona-release 2> /dev/null | grep -q -E '^(i|h)i'"
diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml
index 45d5d005..f5253b09 100644
--- a/php/tasks/sury_pre.yml
+++ b/php/tasks/sury_pre.yml
@@ -5,6 +5,8 @@
     url: https://packages.sury.org/php/apt.gpg
     dest: /etc/apt/trusted.gpg.d/sury.gpg
     mode: "0644"
+    owner: root
+    group: root
 
 - name: Setup deb.sury.org repository - Install apt-transport-https
   apt:
diff --git a/postgresql/tasks/pgdg-repo.yml b/postgresql/tasks/pgdg-repo.yml
index 11d7893b..5ea7b65a 100644
--- a/postgresql/tasks/pgdg-repo.yml
+++ b/postgresql/tasks/pgdg-repo.yml
@@ -25,6 +25,8 @@
     dest: /etc/apt/trusted.gpg.d/pgdg.asc
     force: yes
     mode: "0644"
+    owner: root
+    group: root
 
 - name: Update and upgrade apt packages for PGDG repository
   apt: