Description
SUMMARY
A race condition exists in ansible-vault edit which could allow another user on the same computer can read the old and new secret.
When executing ansible-vault edit, the method VaultEditor._edit_file_helper() creates the temporary file with tempfile.mkstemp(). However, the returned file descriptor is closed and VaultEditor.write_data() is called to write to the file. VaultEditor.write_data() will delete the file and recreate it. A malicious user can create the file with permissions allowing them access to the file after the unlink.
The proposed solution is to write directly to the file descriptor in VaultEditor._edit_file_helper() rather than deleting and creating a new file.
Relevant code:
ansible/lib/ansible/parsing/vault/__init__.py
Lines 851 to 859 in 79dfae9
ISSUE TYPE
- Bug Report
COMPONENT NAME
lib/ansible/parsing/vault/__init__.py
ANSIBLE VERSION
2.10
CONFIGURATION
default
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS