From f3c6ddd67b2b3e95809a1800960810a6067f3e15 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Fri, 5 Feb 2021 16:15:23 +0100
Subject: [PATCH] Ensure the correct permissions of the config files.

---
 tasks/configure-access.yml | 14 +++++++-------
 tasks/postgres_pgpool.yml  |  4 ++++
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/tasks/configure-access.yml b/tasks/configure-access.yml
index 1245cd4..80e51fe 100644
--- a/tasks/configure-access.yml
+++ b/tasks/configure-access.yml
@@ -2,7 +2,7 @@
 - name: Configure accesses on Deb/Ubuntu
   block:
   - name: Give access to the remote postgresql client
-    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
     with_subelements: 
       - '{{ psql_db_data | default([]) }}'
       - allowed_hosts
@@ -15,7 +15,7 @@
     tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
 
   - name: Give access to the remote postgresql client, force ssl
-    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
     with_subelements: 
       - '{{ psql_db_data | default([]) }}'
       - allowed_hosts
@@ -29,7 +29,7 @@
 
   # No conditionals, it is needed to perform base backups when the WAL archive is active
   - name: Give local access with replication privileges to the postgres user
-    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer"
+    lineinfile: name={{ psql_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer"  owner=root group=postgres mode='0440'
     notify: Reload postgresql
     tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
 
@@ -44,7 +44,7 @@
       - firewalld_enabled
 
   - name: Give access to the remote postgresql client
-    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="host {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
     with_subelements: 
       - '{{ psql_db_data | default([]) }}'
       - allowed_hosts
@@ -57,7 +57,7 @@
     tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
 
   - name: Give access to the remote postgresql client, force ssl
-    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5"
+    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^host.* {{ item.0.name }} {{ item.0.user }} {{ item.1 }}.*$" line="hostssl {{ item.0.name }} {{ item.0.user }} {{ item.1 }} md5" owner=root group=postgres mode='0440'
     with_subelements: 
       - '{{ psql_db_data | default([]) }}'
       - allowed_hosts
@@ -71,12 +71,12 @@
 
   # No conditionals, it is needed to perform base backups when the WAL archive is active
   - name: Remove the ident authentication for the local connections
-    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local.*?all.*?ident$" state=absent
+    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local.*?all.*?ident$" state=absent  owner=root group=postgres mode='0440'
     notify: Reload postgresql
     tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
 
   - name: Give local access with replication privileges to the postgres user
-    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer"
+    lineinfile: name={{ psql_el_conf_dir }}/pg_hba.conf regexp="^local replication postgres peer" line="local replication postgres peer"  owner=root group=postgres mode='0440'
     notify: Reload postgresql
     tags: [ 'postgresql', 'postgres', 'pg_hba', 'pg_db' ]
 
diff --git a/tasks/postgres_pgpool.yml b/tasks/postgres_pgpool.yml
index 1a1ab94..2ff06c3 100644
--- a/tasks/postgres_pgpool.yml
+++ b/tasks/postgres_pgpool.yml
@@ -52,6 +52,10 @@
     notify: Restart postgresql with pgpool config
     tags: [ 'postgresql', 'postgres', 'pg_conf', 'pgpool' ]
 
+  - name: Ensure that the postgresql config file has the correct permissions
+    file: dest={{ psql_conf_dir }}/postgresql.conf owner=root group=postgres mode='0440
+    tags: [ 'postgresql', 'postgres', 'pg_conf', 'pgpool' ]
+
   - name: Add the pgpool postgres extensions to the template1 dbs
     become: True
     become_user: postgres