Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure creation of temporary directory for become_user #67791

Closed
samdoran opened this issue Feb 26, 2020 · 5 comments · Fixed by #68921
Closed

Insecure creation of temporary directory for become_user #67791

samdoran opened this issue Feb 26, 2020 · 5 comments · Fixed by #68921
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. security Related to a vulnerability or CVE support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@samdoran
Copy link
Contributor

SUMMARY

CVE-2020-1733

We create a temporary directory for the become_user with umask 077 in /var/tmp without first checking if the directory exists and that it has the expected permissions.

Relevant code

if mode:
tmp_umask = 0o777 & ~mode
cmd = '%s umask %o %s %s %s' % (self._SHELL_GROUP_LEFT, tmp_umask, self._SHELL_AND, cmd, self._SHELL_GROUP_RIGHT)
return cmd

We need to validate the parent directories are as expected before creating directories in those paths and fail if the permissions and/or ACLs are not what we expect.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

lib/ansible/plugins/shell/__init__.py

ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS

@samdoran samdoran added the security Related to a vulnerability or CVE label Feb 26, 2020
@ansibot
Copy link
Contributor

ansibot commented Feb 26, 2020

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Feb 26, 2020

@ansibot ansibot added affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Feb 26, 2020
@ansibot
Copy link
Contributor

ansibot commented Mar 29, 2020

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@sshedi
Copy link

sshedi commented Apr 4, 2020

@samdoran Please review this change, this is my first PR, please pardon me if you find any mistakes.

@ansibot ansibot added the has_pr This issue has an associated PR. label Apr 4, 2020
@bcoca
Copy link
Member

bcoca commented Apr 6, 2020

I would say we need to check 'after' since any check 'before' would be subject to race conditions

bcoca added a commit to bcoca/ansible that referenced this issue Apr 13, 2020
  * also consolidated temp dir name generation, added pid for more 'uniqness'
  * generalize error message
  * added notes about remote expansion

CVE-2020-1733
fixes ansible#67791
@bcoca bcoca mentioned this issue Apr 13, 2020
bcoca added a commit that referenced this issue Apr 13, 2020
* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes #67791
bcoca added a commit to bcoca/ansible that referenced this issue Apr 13, 2020
* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes ansible#67791

(cherry picked from commit 8077d8e)
bcoca added a commit to bcoca/ansible that referenced this issue Apr 13, 2020
* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes ansible#67791

(cherry picked from commit 8077d8e)
bcoca added a commit to bcoca/ansible that referenced this issue Apr 13, 2020
* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes ansible#67791

(cherry picked from commit 8077d8e)
mattclay pushed a commit that referenced this issue Apr 14, 2020
* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes #67791

(cherry picked from commit 8077d8e)
mattclay pushed a commit that referenced this issue Apr 14, 2020
* avoid mkdir -p (#68921)

* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes #67791

(cherry picked from commit 8077d8e)

* C
mattclay pushed a commit that referenced this issue Apr 14, 2020
* avoid mkdir -p (#68921)

* also consolidated temp dir name generation, added pid for more 'uniqness'
* generalize error message
* added notes about remote expansion

CVE-2020-1733
fixes #67791

(cherry picked from commit 8077d8e)

* C

* Update lib/ansible/plugins/shell/__init__.py

Co-Authored-By: Abhijeet Kasurde <akasurde@redhat.com>

* adjusted for missing api

Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
@ansible ansible locked and limited conversation to collaborators May 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
affects_2.10 This issue/PR affects Ansible v2.10 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. security Related to a vulnerability or CVE support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants