From ef48aaf3f2bfd9614febeac0e60eb236b655f909 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Fri, 13 Oct 2017 13:59:40 +0200
Subject: [PATCH] library/roles/apache/tasks/apache-basic-auth.yml: More
 restrictive permissions for the htpasswd file.

---
 apache/tasks/apache-basic-auth.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apache/tasks/apache-basic-auth.yml b/apache/tasks/apache-basic-auth.yml
index a7372821..c0ae1c37 100644
--- a/apache/tasks/apache-basic-auth.yml
+++ b/apache/tasks/apache-basic-auth.yml
@@ -20,7 +20,7 @@
     - apache_basic_auth
   
 - name: Create the basic auth file when it is unique to all the virtualhosts
-  htpasswd: path={{ apache_basic_auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }}
+  htpasswd: path={{ apache_basic_auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }} owner=root group={{ apache_group }} mode=0640
   when: apache_basic_users is defined and apache_basic_auth_single_file
   with_items: '{{ apache_basic_users }}'
   tags:
@@ -28,7 +28,7 @@
     - apache_basic_auth
 
 - name: Create the basic auth files
-  htpasswd: path={{ item.auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }}
+  htpasswd: path={{ item.auth_file }} name={{ item.username }} password={{ item.password }} create=yes state={{ item.state }} owner=root group={{ apache_group }} mode=0640
   with_items: '{{ apache_basic_users | default([]) }}'
   when: apache_basic_users is defined and not apache_basic_auth_single_file
   tags: