Skip to content

ansible-vault edit race condition #67798

Closed
@samdoran

Description

@samdoran
SUMMARY

CVE-2020-1740

A race condition exists in ansible-vault edit which could allow another user on the same computer can read the old and new secret.

When executing ansible-vault edit, the method VaultEditor._edit_file_helper() creates the temporary file with tempfile.mkstemp(). However, the returned file descriptor is closed and VaultEditor.write_data() is called to write to the file. VaultEditor.write_data() will delete the file and recreate it. A malicious user can create the file with permissions allowing them access to the file after the unlink.

The proposed solution is to write directly to the file descriptor in VaultEditor._edit_file_helper() rather than deleting and creating a new file.

Relevant code:

# Create a tempfile
root, ext = os.path.splitext(os.path.realpath(filename))
fd, tmp_path = tempfile.mkstemp(suffix=ext)
os.close(fd)
cmd = self._editor_shell_command(tmp_path)
try:
if existing_data:
self.write_data(existing_data, tmp_path, shred=False)

ISSUE TYPE
  • Bug Report
COMPONENT NAME

lib/ansible/parsing/vault/__init__.py

ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS

Metadata

Metadata

Assignees

Labels

affects_2.10This issue/PR affects Ansible v2.10bugThis issue/PR relates to a bug.has_prThis issue has an associated PR.securityRelated to a vulnerability or CVEsupport:coreThis issue/PR relates to code supported by the Ansible Engineering Team.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions