From 73a8534712ae97402f08a9eb4e1745e420b98ceb Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@38.de>
Date: Wed, 20 Jan 2016 21:04:16 +0100
Subject: [PATCH 1/2] set suid-var to default=omit

this prevents the task "remove suid/sgid bit from all binaries except in system and user whitelist"
from failing when the suid-var is not set and `os_security_suid_sgid_remove_from_unknown`
is not set either.
See: https://github.com/ansible/ansible/issues/11964
---
 tasks/suid_sgid.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tasks/suid_sgid.yml b/tasks/suid_sgid.yml
index 81ce04bc..fdedd976 100644
--- a/tasks/suid_sgid.yml
+++ b/tasks/suid_sgid.yml
@@ -12,6 +12,11 @@
   when: os_security_suid_sgid_remove_from_unknown
   changed_when: False
 
+#- name: initialize suid-variable so last task does not crash when second last does not run
+#  set_fact:
+#    suid: ''
+#  when: os_security_suid_sgid_remove_from_unknown
+
 - name: gather files from which to remove suids/sgids and remove system white-listed files
   set_fact:
     suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'
@@ -20,5 +25,5 @@
 - name: remove suid/sgid bit from all binaries except in system and user whitelist
   file: path='{{item}}' mode='a-s' state=file follow=yes
   with_items:
-    - '{{ suid | difference(os_security_suid_sgid_whitelist) }}'
+    - '{{ suid | default(omit) | difference(os_security_suid_sgid_whitelist) }}'
   when: os_security_suid_sgid_remove_from_unknown

From a9605356110aa12c45df2ff72a9423b7186680eb Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@38.de>
Date: Wed, 20 Jan 2016 21:05:56 +0100
Subject: [PATCH 2/2] remove commented task

---
 tasks/suid_sgid.yml | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/tasks/suid_sgid.yml b/tasks/suid_sgid.yml
index fdedd976..999f3f85 100644
--- a/tasks/suid_sgid.yml
+++ b/tasks/suid_sgid.yml
@@ -12,11 +12,6 @@
   when: os_security_suid_sgid_remove_from_unknown
   changed_when: False
 
-#- name: initialize suid-variable so last task does not crash when second last does not run
-#  set_fact:
-#    suid: ''
-#  when: os_security_suid_sgid_remove_from_unknown
-
 - name: gather files from which to remove suids/sgids and remove system white-listed files
   set_fact:
     suid: '{{ sbit_binaries.stdout_lines | difference(os_security_suid_sgid_system_whitelist) }}'