Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[stable-2.8] Change default file permissions so they are not world re…
…adable (#70221) (#70827) * [stable-2.8] Change default file permissions so they are not world readable (#70221) * Change default file permissions so they are not world readable CVE-2020-1736 Set the default permissions for files we create with atomic_move() to 0o0660. Track which files we create that did not exist and warn if the module supports 'mode' and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults. A code audit is needed to find all instances of modules that call atomic_move() but do not call set_mode_if_different(). The findings need to be documented in a changelog since we are not warning. Warning in those instances would be frustrating to the user since they have no way to change the module code. - use a set for storing list of created files - just check the argument spac and params rather than using another property - improve the warning message to include the default permissions. (cherry picked from commit 5260527) Co-authored-by: Sam Doran <sdoran@redhat.com> * Fix service test * Fix lamdba_policy test * Fix aws_lamdba test * Fix warning for new default permissions when mode is not specified (#70976) Follow up to #70221 Related to #67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry picked from commit dc79528) * Use new category in changelog fragments
- Loading branch information
Showing
13 changed files
with
191 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
security_fixes: | ||
- > | ||
**security issue** atomic_move - change default permissions when creating | ||
temporary files so they are not world readable (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736) |
4 changes: 4 additions & 0 deletions
4
changelogs/fragments/67794-default-permissions-warning-fix.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
security_fixes: | ||
- > | ||
Fix warning for default permission change when no mode is specified. Follow up | ||
to https://github.com/ansible/ansible/issues/67794. (CVE-2020-1736) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
shippable/posix/group3 |
36 changes: 36 additions & 0 deletions
36
test/integration/targets/module_utils_basic/library/test_perm_warning.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#!/usr/bin/python | ||
# -*- coding: utf-8 -*- | ||
# Copyright (c) 2020 Ansible Project | ||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) | ||
|
||
from __future__ import absolute_import, division, print_function | ||
__metaclass__ = type | ||
|
||
import tempfile | ||
|
||
from ansible.module_utils.basic import AnsibleModule | ||
|
||
|
||
def main(): | ||
module = AnsibleModule( | ||
argument_spec={ | ||
'dest': {'type': 'path'}, | ||
'call_fs_attributes': {'type': 'bool', 'default': True}, | ||
}, | ||
add_file_common_args=True, | ||
) | ||
|
||
results = {} | ||
|
||
with tempfile.NamedTemporaryFile(delete=False) as tf: | ||
file_args = module.load_file_common_arguments(module.params) | ||
module.atomic_move(tf.name, module.params['dest']) | ||
|
||
if module.params['call_fs_attributes']: | ||
results['changed'] = module.set_fs_attributes_if_different(file_args, True) | ||
|
||
module.exit_json(**results) | ||
|
||
|
||
if __name__ == '__main__': | ||
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
dependencies: | ||
- setup_remote_tmp_dir |
33 changes: 33 additions & 0 deletions
33
test/integration/targets/module_utils_basic/tasks/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
- name: Run task with no mode | ||
test_perm_warning: | ||
dest: "{{ remote_tmp_dir }}/endangerdisown" | ||
register: no_mode_results | ||
|
||
- name: Run task with mode | ||
test_perm_warning: | ||
mode: '0644' | ||
dest: "{{ remote_tmp_dir }}/groveestablish" | ||
register: with_mode_results | ||
|
||
- name: Run task without calling set_fs_attributes_if_different() | ||
test_perm_warning: | ||
call_fs_attributes: no | ||
dest: "{{ remote_tmp_dir }}/referabletank" | ||
register: skip_fs_attributes | ||
|
||
- stat: | ||
path: "{{ remote_tmp_dir }}/{{ item }}" | ||
loop: | ||
- endangerdisown | ||
- groveestablish | ||
register: files | ||
|
||
- name: Ensure we get a warning when appropriate | ||
assert: | ||
that: | ||
- no_mode_results.warnings | default([], True) | length == 1 | ||
- "'created with default permissions' in no_mode_results.warnings[0]" | ||
- files.results[0]['stat']['mode'] == '0600' | ||
- files.results[1]['stat']['mode'] == '0644' | ||
- with_mode_results.warnings is not defined # The Jinja version on CentOS 6 does not support default([], True) | ||
- skip_fs_attributes.warnings | default([], True) | length == 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters