Task "minimize access" no longer works on 5.2.0

[kofalt]

Describe the bug
On 5.1.0, I could observe a large set of changes made during the "minimize access" step. Instead, in the latest release, that appears to fail & be skipped due to a problem with the changes presumably made in #208. The root cause appears to be this find error:

find: File system loop detected; ‘/usr/bin/X11’ is part of the same file system loop as ‘/usr/bin’.

Expected behavior
The "minimize access" step should run.

Actual behavior

TASK [dev-sec.os-hardening : find files with write-permissions for group] ****************************************************************************************************************************************
ok: [none.none] => (item=/usr/local/sbin)
ok: [none.none] => (item=/usr/local/bin)
ok: [none.none] => (item=/usr/sbin)
failed: [none.none] (item=/usr/bin) => {"changed": false, "cmd": "find -L /usr/bin -perm /go+w -type f", "delta": "0:00:00.006142", "end": "2019-05-11 00:21:59.580287", "item": "/usr/bin", "msg": "non-zero return code", "rc": 1, "start": "2019-05-11 00:21:59.574145", "stderr": "find: File system loop detected; ‘/usr/bin/X11’ is part of the same file system loop as ‘/usr/bin’.", "stderr_lines": ["find: File system loop detected; ‘/usr/bin/X11’ is part of the same file system loop as ‘/usr/bin’."], "stdout": "", "stdout_lines": []}
ok: [none.none] => (item=/sbin)
ok: [none.none] => (item=/bin)
...ignoring

TASK [dev-sec.os-hardening : minimize access on found files] *****************************************************************************************************************************************************

TASK [dev-sec.os-hardening : change shadow ownership to root and mode to 0600 | os-02] ***************************************************************************************************************************

Example Playbook

    - name: Harden OS
      include_role:
        name: dev-sec.os-hardening

OS / Environment

$ find /etc/*release -type f,l | xargs cat
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=19.1
DISTRIB_CODENAME=tessa
DISTRIB_DESCRIPTION="Linux Mint 19.1 Tessa"
NAME="Linux Mint"
VERSION="19.1 (Tessa)"
ID=linuxmint
ID_LIKE=ubuntu
PRETTY_NAME="Linux Mint 19.1"
VERSION_ID="19.1"
HOME_URL="https://www.linuxmint.com/"
SUPPORT_URL="https://forums.ubuntu.com/"
BUG_REPORT_URL="http://linuxmint-troubleshooting-guide.readthedocs.io/en/latest/"
PRIVACY_POLICY_URL="https://www.linuxmint.com/"
VERSION_CODENAME=tessa
UBUNTU_CODENAME=bionic
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04 LTS"

Ansible Version

$ ansible --version
ansible 2.7.10
  config file = /home/kofalt/yar/ansible.cfg
  configured module search path = [u'/home/kofalt/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0]

Role Version

# Release 5.2.0
- name: dev-sec.os-hardening
  src: https://github.com/dev-sec/ansible-os-hardening
  version: 1393c190804652de1774d4c07c0f9fdfaef421d8

[rndmh3ro]

Hey @kofalt,

thanks for you report. However this is not really a bug, since the "minimize access" task still works.

The find-task throws an error on /usr/bin/X11 because that's what the find-command does, when it finds a filesystem loop. However the other files inside /usr/bin (and all other directories) are still getting found and the permissions minimized in the next task.

This is also the reason why there's ignore_errors: true on the task.

I'm going to add some documentation on the task!

[kofalt]

Makes sense. I got so used to the absolutely-enormous block of green OK from this task that I assumed something had to be wrong! Good to know.