The default permissions used by atomic_move can create files that are world readable #67794
Comments
|
Files identified in the description: If these files are inaccurate, please update the |
ansibot
added
affects_2.10
|
Files identified in the description: If these files are inaccurate, please update the |
fixes ansible#67794 updated some tests that expected previous defaults CVE-2020-1736
fixes ansible#67794 updated some tests that expected previous defaults CVE-2020-1736
fixes #67794 updated some tests that expected previous defaults CVE-2020-1736
…8970) fixes ansible#67794 updated some tests that expected previous defaults CVE-2020-1736 (cherry picked from commit 566f246)
…8970) fixes ansible#67794 updated some tests that expected previous defaults CVE-2020-1736 (cherry picked from commit 566f246)
|
reopened since PR that had been merged was reverted due to much larger impact than initially forseen. |
|
@bcoca Can you please point me to the commit were this was reverted? I am not seeing it. https://github.com/bcoca/ansible/commits/2127777856f81bd03666db5a68b379901a849845/lib/ansible/module_utils/common/file.py |
|
OK, so according to #68983 it appears this was reverted because we broke some tests in collections. What is the solution? Maybe we need a |
ansibot
added
the
needs_triage
jimi-c
removed
the
needs_triage
As of Ansible 2.9.12, the default modes are stricter. See: ansible/ansible#67794
|
It broke my playbook too.
Yes it should. |
As of Ansible 2.9.12, the default modes are stricter. See: ansible/ansible#67794
As of Ansible 2.9.12, the default modes are stricter. See: ansible/ansible#67794
|
I also ran into this issue today, using Ansible 2.9.12 from the Launchpad Ansible repo: Could it be that is hasn't been reverted there? It is causing a lot of trouble for our automated installations currently. |
|
Correct, there has not yet been another release since the change was reverted. The revert will be in the next 2.9 release. |
|
Is there a timeline for a new release? I'm specifically interested in 2.8, but it'd probably be helpful to know both. |
|
Likely around 8/31 or 9/1. Releases typically happen every 3 weeks (though that is changing slightly, soon). |
We need to set mode for copy operation otherwise ansible-2.9.12 can lead to too restrictive default permissions[1]. Setting mode for copy operations handles the warning. [1.] ansible/ansible#67794 Change-Id: Ieae36a1d85a7da84ee2cd982a20dcabe9e65511f Signed-off-by: Chandan Kumar (raukadah) <chkumar@redhat.com>
* Update openstack-ansible-os_tempest from branch 'master'
- Set mode for copy operation
We need to set mode for copy operation otherwise ansible-2.9.12
can lead to too restrictive default permissions[1].
Setting mode for copy operations handles the warning.
[1.] ansible/ansible#67794
Change-Id: Ieae36a1d85a7da84ee2cd982a20dcabe9e65511f
Signed-off-by: Chandan Kumar (raukadah) <chkumar@redhat.com>
v2.9.12 ======= Minor Changes ------------- - ansible-test - the ACME test container was updated, it now supports external account creation and has a basic OCSP responder (ansible/ansible#71097, https://github.com/ansible/acme-test-container/releases/tag/2.0.0). - debconf - add a note about no_log=True since module might expose sensitive information to logs (ansible/ansible#32386). Security Fixes -------------- - **security issue** - copy - Redact the value of the no_log 'content' parameter in the result's invocation.module_args in check mode. Previously when used with check mode and with '-vvv', the module would not censor the content if a change would be made to the destination path. (CVE-2020-14332) - **security issue** atomic_move - change default permissions when creating temporary files so they are not world readable (ansible/ansible#67794) (CVE-2020-1736) - Fix warning for default permission change when no mode is specified. Follow up to ansible/ansible#67794. (CVE-2020-1736) - Sanitize no_log values from any response keys that might be returned from the uri module (CVE-2020-14330). - reset logging level to INFO due to CVE-2019-14846. Bugfixes -------- - Address compat with rpmfluff-0.6 for integration tests - Ensure password passed in by -k is used on delegated hosts that do not have ansible_password set - Template connection variables before using them (ansible/ansible#70598). - Terminal plugins - add "\e[m" to the list of ANSI sequences stripped from device output - add magic/connection vars updates from delegated host info. - ansible-galaxy collection install - fix fallback mechanism if the AH server did not have the collection requested - ansible/ansible#70940 - ansible-test - Add ``pytest < 6.0.0`` constraint for managed installations on Python 3.x to avoid issues with relative imports. - ansible-test - Change detection now properly resolves relative imports instead of treating them as absolute imports. - api - time.clock is removed in Python 3.8, add backward compatible code (ansible/ansible#70649). - avoid clobbering existing facts inside loop when task also returns ansible_facts. - basic - use PollSelector implementation when DefaultSelector fails (ansible/ansible#70238). - cron - encode and decode crontab files in UTF-8 explicitly to allow non-ascii chars in cron filepath and job (ansible/ansible#69492) - ensure delegated vars can resolve hostvars object and access vars from hostvars[inventory_hostname]. - facts - account for Slackware OS with ``+`` in the name (ansible/ansible#38760) - facts - fix incorrect UTC timestamp in ``iso8601_micro`` and ``iso8601`` - fix issue with inventory_hostname and delegated host vars mixing on connection settings. - hashi_vault - Handle equal sign in key=value (ansible/ansible#55658). - ipa_hostgroup - fix an issue with load-balanced ipa and cookie handling with Python 3 - (ansible/ansible#71110). - lineinfile - fix not subscriptable error in exception handling around file creation - linux network facts - get the correct value for broadcast address (ansible/ansible#64384) - mysql_user - fix overriding password to the same (ansible-collections/community.general#543). - net_put - Fixed UnboundLocalError when there is no change This is a backport from U(ansible-collections/ansible.netcommon#6) - nxos_user - do not fail when a custom role is used (ansible-collections/cisco.nxos#130) - ovirt_vm - fix cd_iso search - playbooks - detect and propagate failures in ``always`` blocks after ``rescue`` (ansible/ansible#70000) - profile_tasks - typecast result before slicing it (ansible/ansible#59059). - reboot - Add support for the runit init system, used on Void Linux, that does not support the normal Linux syntax. - redfish_info, redfish_config, redfish_command - Fix Redfish response payload decode on Python 3.5 (ansible/ansible#65889) - shell - fix quoting of mkdir command in creation of remote_tmp in order to allow spaces and other special characters (ansible/ansible#69577). - templating - fix error message for ``x in y`` when y is undefined (ansible/ansible#70984) - unarchive - check ``fut_gid`` against ``run_gid`` in addition to supplemental groups (ansible/ansible#49284) - user - don't create home directory and missing parents when create_home == false (ansible/ansible#70600). - yum - fix yum list crashing if repoquery (used internally) prints errors in stdout (ansible/ansible#56800)
Add a comment to parameter 'mode' to highlight CVE-2020-1736 and the versions of Ansible that are vulnerable. As of Ansible 2.9.10, this vulnerability has not been properly addressed so that string '2.9.10' is subject to a future change. Tickets: - Refs ansible#67794 - Refs ansible#71324
Add a comment to parameter 'mode' to highlight CVE-2020-1736 and the versions of Ansible that are vulnerable. As of Ansible 2.9.10, this vulnerability has not been properly addressed so that string '2.9.10' is subject to a future change. Tickets: - Refs ansible#67794 - Refs ansible#71324
Add a comment to parameter 'mode' to highlight CVE-2020-1736 and the versions of Ansible that are vulnerable. As of Ansible 2.9.10, this vulnerability has not been properly addressed so that string '2.9.10' is subject to a future change. Tickets: - Refs ansible#67794 - Refs ansible#71324
|
Files identified in the description:
If these files are incorrect, please update the |
|
Files identified in the description: If these files are incorrect, please update the |
|
I wonder is there any Ansible config where I can simply set the default file/dir mode or umask to 0644? Or is 0644 always the default? |
Read the bug report. The current umask is whatever the target system has set as default, which for Debian-based systems is 0022. You don't want to set it to 0644. IMHO this isn't a security bug, because you have to deliberately set the umask to make files world-readable ... to get world-readable files. |
|
I meant if the 0022 umask can be enforced as a default by ansible configuration. |
Please ask in a support channel as this is unrelated to the bug report. |
|
closing this as it is not really an ansible bug, but how the user has configured umask on their system. |
SUMMARY
CVE-2020-1736
If a file doesn't exist, we create it with
0666permissions combined with the currentumask. Depending on the default umask as well as the permissions on the destination directory, this could result in world readable files.Relevant code:
Default permissions:
ansible/lib/ansible/module_utils/common/file.py
Lines 60 to 62 in 79dfae9
creation in
atomic_move:ansible/lib/ansible/module_utils/basic.py
Lines 2296 to 2303 in 79dfae9
Suggested correction is to use more restrictive permissions by default and/or add a mechanism to prevent creating world readable files.
ISSUE TYPE
COMPONENT NAME
ansible/lib/ansible/module_utils/common/file.pyansible/lib/ansible/module_utils/basic.pyANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: