do not use a predictable filenames in the LXC plugin #1941
Conversation
|
Thanks @evgeni. To the current maintainers, @cloudnull please review according to guidelines (http://docs.ansible.com/ansible/developing_modules.html#module-checklist) and comment with text 'shipit' or 'needs_revision' as appropriate. [This message brought to you by your friendly Ansibull-bot.] |
|
@evgeni another path that could be fixed is archive_path. It currently defaults to /tmp/ so an attacker could make symlinks there. https://github.com/ansible/ansible-modules-extras/pull/1941/files#diff-cf760a9c318e06abfcf03558a58b2bc4R143 https://github.com/ansible/ansible-modules-extras/blob/devel/cloud/lxc/lxc_container.py#L1750 Since the purpose of archive is to create a backup of the container that the user can find later we probably can't make it into an unpredictable tempfile. I think the best thing for that is to remove the default for archive_path. then add a required_if to arg spec so that if archive is True, archive_path must be set by the user. |
|
@evgeni Code here looks good. If you're around go ahead and squash your commits for easier cherry-picking and let me know. I'm going to start working on the archive_path issue unless you tell me that you're already working on it (want to get these cherry-picked to stable-2.0 so that if we decide to do a 2.0.2rc3, it gets included) (Not sure if we'll do an rc3 yet... but I want to make sure the code is ready if we do.) |
|
@abadger I have the code ready on my laptop. Just needs a round if testing. Will push later tonight. |
|
@evgeni Excellent thanks. I'll merge and cherry-pick once you're ready. |
* do not use a predictable filename for the LXC attach script * don't use predictable filenames for LXC attach script logging * don't set a predictable archive_path this should prevent symlink attacks which could result in * data corruption * data leakage * privilege escalation
|
@abadger there, pushed. sorry it took longer, but I just fell asleep yesterday after arriving home from the customer |
|
@evgeni No worries. Thanks for taking the time to create this PR and test! |
|
Merged to devel, stable-2.0 and stable-1.9 branches. CHANGELOG updated on stable-2.0 and stable-1.9. Thanks for the fix! it will be in our next release on all three branches. |
ISSUE TYPE
COMPONENT NAME
lxc_container
ANSIBLE VERSION
Git
SUMMARY
The attach script of the LXC module currently uses predictable names, allowing symlink attacks.
Using mkstemp and not NamedTempFile to keep Py 2.4 compat :(
CVE-2016-3096
PoC: