Task in cis_6.2.x.yml Sets Execute Bit on All New Files in Home Directory

[bene-tyler]

The following task in cis_6.2.x.yml sets a default ACL of r-x for the group on user home directories:

      # set default ACLs so the homedir has an effective umask of 0027
      - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set group ACL"
        ansible.posix.acl:
            path: "{{ item }}"
            default: true
            etype: group
            permissions: rx
            state: present
        loop: "{{ discovered_interactive_users_home.stdout_lines }}"
        when: not system_is_container

This causes all new files created inside the home directory to inherit the execute bit for group, even if they aren’t intended to be executable. For example, checking out a Git repository results in every file being marked with mode 100755 instead of 100644.

This behavior:

Deviates from typical umask 0027 expectations,
Introduces incorrect file permissions,
Breaks workflows involving source control or deployment tools.

Suggested Fix
Update the permissions to r (read-only) instead of rx, to prevent accidental propagation of execute bits to regular files: