-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ignore ansible.cfg in world writable cwd #42070
Conversation
lib/ansible/config/manager.py
Outdated
perms1 = os.stat(path1) | ||
if perms1.st_mode & stat.S_IWOTH: | ||
# Ansible is in a world writable directory, ignoring it as ansible.cfg source. | ||
path1 = None |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to do a display.warning() here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bcoca says that we don't have a display object created yet. If we attempt to use a display object, it will throw an error. I think we should add a commented out call to display.warn() here so that someone can remember to add this once we're able to. (I'm planning to replace/reimplement the backend of display with logging infrastructure for 2.8. And once we have that, we can either queue early updates for later logging or we can push the earliest messages to a log that does not depend on configuration.)
The two failures here were unrelated. Rebuilding those two jobs (windows and the rhel7 vm builder). |
Okay, down to one failure. Still looks unrelated (It was unstable last time and failed this time). The build target is windows/2012-R2/1 I'm hitting rebuild in shippable again. |
tests completed successfully this time. Unstable is from windows test. Unrelated to this change. The only things left are to add a commented out call to display.warn() so that we can remember to add that once we have the capability and a changelog file. The logic looks good. Please merge and backport all the way to 2.4 ASAP. |
Talked with @misc who noted that ansible.cfg locations are not noted in the documentation (seems like it used to be but was accidentally omitted when the documentation wa sreorganized.). So we need to add to documentation (Either intro_configuration or somewhere under the reference_guide... from the (broken) link name, it appears that dharmabumstead was intending to move it under reference guide). We also need to add ansible.cfg in current working directory to the FILES section of the man pages (the other locations are listed there but not CWD). That section is in /docs/templates/man.j2 So list of changes to be made:
|
The old documentation is right under the table of contents here: https://github.com/ansible/ansible/blob/stable-2.3/docs/docsite/rst/intro_configuration.rst |
The test
|
* also added 'warnings' to config * upadted man page template
@@ -0,0 +1,2 @@ | |||
bugfixes: | |||
- avoid using ansible.cfg in a world readable dir, readd missing docs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we don't have a dedicated category for security fixes, please prepend **Security Fix** -
to this:
bugfixes:
- ** Security Fix ** - avoid using ansible.cfg in a world readable dir, readd missing docs
Current docs on how Ansible loads config are at https://docs.ansible.com/ansible/devel/reference_appendices/config.html#ansible-configuration-settings-locations. |
@misc is not me, that's @mscherer in github land. I think I wasn't clear when we discuss, my point was that maybe we should write in the doc something around what to watch for, from a security point of view when you have a shared server to run Ansible with multiple users. |
@mscherer, What should that section have to say about this issue? |
The following builders failed but all look unrelated:
Rebuildig them to see whether they come up green. |
* ignore ansible.cfg in world writable cwd * also added 'warnings' to config * updated man page template (cherry picked from commit b6f2aad) Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
* ignore ansible.cfg in world writable cwd * also added 'warnings' to config * updated man page template. (cherry picked from commit b6f2aad) Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
* ignore ansible.cfg in world writable cwd * also added 'warnings' to config * updated man page template. (cherry picked from commit b6f2aad) Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
* ignore ansible.cfg in world writable cwd * also added 'warnings' to config * updated man page template (cherry picked from commit b6f2aad) Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
* ignore ansible.cfg in world writable cwd * also added 'warnings' to config * updated man page template (cherry picked from commit b6f2aad) Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Just for the administrative purposes ... this is fix for CVE-2018-10874, right? You are not making it easy for non-Red Hat maintainers to find patches they need :(. Oh well. |
@mcepl to be fair, 'redhat' maintainers don't get any extra info than what you see here, this is fix for CVE-2018-10875, the ticket you want is 42067 we normally don't tag the tickets with cve info, just our releases FYI, this ticket has some followups as the conditions were too strict and unintentionally impaired functionality. It is not normally good to take our commits in isolation. |
Yeah, I remember how disintegrated Red Hat sometimes tends to be. Oh well. I will take a look at that ticket. Thank you. |
@mcepl not a question of integration/disintegration, the other teams just consume our releases, which would include these patches, so there is no need for them to find them on their own. |
SUMMARY
ISSUE TYPE
COMPONENT NAME
config
ANSIBLE VERSION