Netrc too permissive

ISSUE SUMMARY

Hi team, I have a private repo that contain ansible playbooks.
When it runs, I get an error below saying the drone generated netrc access is too permissive. Should I do something like chmod 600 ~/.netrc somewhere? if so, where?

\"/usr/lib/python2.7/netrc.py\", line 35, in __init__\n    self._parse(file, fp, default_netrc)\n  File \"/usr/lib/python2.7/netrc.py\", line 113, in _parse\n    \" the owner\", file, lexer.lineno)\nnetrc.NetrcParseError: ~/.netrc access too permissive: access permissions must restrict access to only the owner (/root/.netrc, line 1)\n", 

Not sure if related, but a previous pipeline stage runs terraform which pulls down code from another private repo for building out infrastructure. This runs fine using an ssh key imported via drone secrets

terraform {
  source = "git@github.com:privaterepo2/terraform-modules//module_name?ref=v0.1"
}

using these commands

  # Write github deploy key to disk
  - mkdir /root/.ssh
  - echo -n "$GIT_KEY" > /root/.ssh/id_rsa
  - chmod 600 /root/.ssh/id_rsa

DRONE VERSION

1.6.2

Seems ansible (/usr/lib/python2.7/netrc.py) no longer complains after doing chmod 600 . Is this something that should get fixed?

+ ls -lah /root
total 20K    
drwx------    1 root     root        4.0K Jan  5 12:15 .
drwxr-xr-x    1 root     root        4.0K Jan  5 12:15 ..
drwx------    1 root     root        4.0K Dec 17 02:42 .cache
-rw-r--r--    1 root     root          89 Jan  5 12:15 .netrc
-rw-r--r--    1 root     root         165 Dec 17 08:03 .wget-hsts
+ chmod 600 /root/.netrc
+ ls -lah /root
total 20K    
drwx------    1 root     root        4.0K Jan  5 12:15 .
drwxr-xr-x    1 root     root        4.0K Jan  5 12:15 ..
drwx------    1 root     root        4.0K Dec 17 02:42 .cache
-rw-------    1 root     root          89 Jan  5 12:15 .netrc
-rw-r--r--    1 root     root         165 Dec 17 08:03 .wget-hsts

I have a very similar issue. I use drone to validate my ansible playbook and roles. Part of this is to execute ansible-galaxy which downloads roles from a central repository (think of it as pip from python). Whenever a new role need to be downloaded, the mentioned error with wrong permissions on the .netrc file occurs.

latest: Pulling from ansible
Digest: sha256:826556a472d55fd5886b9c5d6f3698d1451c95b98d21ae50071d377f67bab088
Status: Downloaded newer image for myregistry/ansible:latest
+ ansible-lint playbook.yml
+ ansible-galaxy install -r roles/requirements.yml
- extracting geerlingguy.awx to /drone/src/roles/geerlingguy.awx
- geerlingguy.awx was installed successfully
[WARNING]: - dj-wasabi.telegraf was NOT installed successfully: Unknown error
when attempting to call Galaxy at 'https://galaxy.ansible.com/api/': ~/.netrc
access too permissive: access permissions must restrict access to only the
owner (/root/.netrc, line 1)
ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.

My drone config is the following:

    ---
    kind: pipeline
    name: default
    type: docker

    steps:
    - name: syntax check
      image: myregistry/ansible
      commands:
          - ansible-lint playbook.yml
          - ansible-galaxy install -r roles/requirements.yml
          - ansible-playbook --syntax-check playbook.yml

    image_pull_secrets:
        - dockerconfig

The first role geerlingguy.awx is successful, because it is cached on drone. After I added another role in the requirements.yml the error reappeared.

My workaround is to add the chmod command as additional action before the ansible-galaxy command.

      commands:
          - ansible-lint playbook.yml
          - chmod 0600 /root/.netrc
          - ansible-galaxy install -r roles/requirements.yml
          - ansible-playbook --syntax-check playbook.yml

Please upgrade your runner to the latest stable release; we received and merged a pull request that fixed the netrc permission.

Thank you for the quick reply, after the upgrade the job is running as expected and the workaround with chmod is no longer needed.