---
# Using a two-pass approach for checking directories in order to support symlinks.
- include_tasks: find_files.yml
  loop_control:
    loop_var: outer_item
  loop:
    - '/usr/local/sbin'
    - '/usr/local/bin'
    - '/usr/sbin'
    - '/usr/bin'
    - '/sbin'
    - '/bin'
    - '{{ os_env_extra_user_paths }}'

- name: change shadow ownership to root and mode to 0600 | os-02
  file:
    dest: '/etc/shadow'
    owner: '{{ os_shadow_perms.owner }}'
    group: '{{ os_shadow_perms.group }}'
    mode: '{{ os_shadow_perms.mode }}'

- name: change passwd ownership to root and mode to 0644 | os-03
  file:
    dest: '/etc/passwd'
    owner: '{{ os_passwd_perms.owner }}'
    group: '{{ os_passwd_perms.group }}'
    mode: '{{ os_passwd_perms.mode }}'

- name: change su-binary to only be accessible to user and group root
  file:
    dest: '/bin/su'
    owner: 'root'
    group: 'root'
    mode: '0750'
  when: os_security_users_allow != None