Make sure umask is set restrictively before creating any vault files

ansible · Apr 18, 2014 · a0e027f · a0e027f
1 parent c4b5e46
commit a0e027f
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/lib/ansible/utils/vault.py b/lib/ansible/utils/vault.py
@@ -189,13 +189,15 @@ def create_file(self):
             raise errors.AnsibleError("%s exists, please use 'edit' instead" % self.filename)
 
         # drop the user into vim on file
+        old_umask = os.umask(0077)
         EDITOR = os.environ.get('EDITOR','vim')
         call([EDITOR, self.filename])
         tmpdata = self.read_data(self.filename)
         this_vault = VaultLib(self.password)
         this_vault.cipher_name = self.cipher_name
         enc_data = this_vault.encrypt(tmpdata)
         self.write_data(enc_data, self.filename)
+        os.umask(old_umask)
 
     def decrypt_file(self):
 
@@ -218,6 +220,9 @@ def edit_file(self):
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
+        # make sure the umask is set to a sane value
+        old_mask = os.umask(0077)
+
         # decrypt to tmpfile
         tmpdata = self.read_data(self.filename)
         this_vault = VaultLib(self.password)
@@ -243,6 +248,9 @@ def edit_file(self):
         # shuffle tmp file into place
         self.shuffle_files(tmp_path, self.filename)
 
+        # and restore the old umask
+        os.umask(old_mask)
+
     def encrypt_file(self):
 
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: