fix(roles/mirror): set mode 0440 on sudoers file

markuslf · markuslf · commit 4497b326b1f8 · 2026-03-30T13:55:22.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -69,6 +69,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+* **role:mirror**: Fix missing `0440` permissions on sudoers file
 * **role:login**: Rename sudoers file from `lfops_login` to `linuxfabrik` to match the kickstart configuration; remove the old file automatically
 * **roles**: Fix Ansible 2.19 deprecation warning for conditional results of type `int` by using `| length > 0` instead of `| length`
 * **role:firewall**: Fix fwbuilder repo clone being skipped when `run_once` picks a host without `firewall__fwbuilder_repo_url`
diff --git a/roles/mirror/tasks/main.yml b/roles/mirror/tasks/main.yml
@@ -19,6 +19,7 @@
     ansible.builtin.copy:
       src: '/opt/mirror/mirror.sudoers'
       dest: '/etc/sudoers.d/mirror'
+      mode: 0o440
       remote_src: true
 
   - name: 'cp /opt/mirror/systemd/mirror-update.service /etc/systemd/system/mirror-update.service'
