-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Breaking change in the "stable" releases #71200
Comments
Files identified in the description: If these files are incorrect, please update the |
Security fixes are allowed to create 'breaking changes'. Most bugfixes are a 'breaking change' if you relied on the buggy behaviour. We try to avoid backporting those that would be too impactfull, but that consideration is normally trumped by security concerns. |
I disagree, using default (which is also well-established one, i.e. using umask; normally anyone would assume the files to be created with such mode) is not equal to relying on a bug. I can accept that the tasks that do not allow the mode to be set should rather default to best security practices than not but changing the default mode for just about any task feels wrong. Having looked at the CVE, I'm a bit surprised this was the solution to solve it in the first place. Feels a bit like using hammer. I understand it might have been due to time constraints. I'd upvote the default change even in the now-stabilizing 2.10 (hopefully with some tooling to allow easier catching of affected tasks) but this going 1:1 to stable branches feels wrong. |
@bcoca As this is effectively a breaking change with big changes of breaking usage of 8 core modules, please take few minutes to give some feedback on the newly propose linter rule, one that should prevent such silent failures. |
After some further discussion about ways to solve this, I'm going to look at using splitting this fix into two parts: 1) to solve the issue of permissions of the temporary and 2) use the umask of the system to determine the final permissions of the file if no mode was specified. It seems I took the initial fix too far of preserving the very strict permissions of the temporary file on the final file when no mode was specified. |
Thanks, Sam. I appreciate your attitude towards this. |
I can confirm that this also breaks things like copy where one would expect that the file be written out using the default umask and not the more restrictive 0600. e.g. uri -> copy to output file to disk. I agree the tightened restrictions on temporary files is important, but I disagree that all file operations should get something more restrictive than the system umask. |
We've been dinged in the past for using the system umask when it is set to an insecure value. The previous behavior would probably be pretty surprising if it was scrutinized more. But since it worked, few probably noticed they could end up with world readable files in some cases. I wouldn't say it breaks
Tasks this change does break are those that provide no mechanism for setting the |
I would be more ok if the new restrictions went in with a warning to be correct over several releases however doing so in a backport was a bit much. The security issue is not necessarily one ansible should be fixing for users magically. Ansible should take care of it's own files that it uses during execution however. |
The 2.9.12 changelog only mentions temporary files:
My understanding of the impact of this change is that the real non-temporary files created by |
This change made my dev env unreachable (think networkd files) and broke plenty of my roles which relied on correctly set umask on the system. I do accept that security fixes can be breaking changes, but it should be clearly stated in a change log and also mentioned in documentation what happens if you don't set mode for a file. Though still a bit heavy change for a minor version security fix. |
This change excludes known broken versions of ansible from being used in test. See ansible/ansible#71200 Change-Id: I935c0a752d7d001777ba99f7858875c8d2d48025 Signed-off-by: Kevin Carter <kecarter@redhat.com>
* Update tripleo-ansible from branch 'master' - Restrict ansible install version This change excludes known broken versions of ansible from being used in test. See ansible/ansible#71200 Change-Id: I935c0a752d7d001777ba99f7858875c8d2d48025 Signed-off-by: Kevin Carter <kecarter@redhat.com>
This change excludes known broken versions of ansible from being used in test. See ansible/ansible#71200 Change-Id: I935c0a752d7d001777ba99f7858875c8d2d48025 Signed-off-by: Kevin Carter <kecarter@redhat.com> (cherry picked from commit 3ec04b4)
This change excludes known broken versions of ansible from being used in test. See ansible/ansible#71200 Change-Id: I935c0a752d7d001777ba99f7858875c8d2d48025 Signed-off-by: Kevin Carter <kecarter@redhat.com> (cherry picked from commit 3ec04b4)
Ansible 2.8.14 changed default permissions of created files to 600 [1]. This breaks kayobe because kolla-ansible generates admin-openrc.sh owned by root:root with mode 0600, which kayobe fails to read to generate public-openrc.sh. Block only Ansible 2.8.14 as the next release should include a revert of this change. [1] ansible/ansible#71200 Change-Id: I3de408d384141eee1a088d222dca7d583251a297 Story: 2008011 Task: 40661
Ansible 2.9.12 changed default permissions of created files to 600 [1]. This breaks kayobe because kolla-ansible generates admin-openrc.sh owned by root:root with mode 0600, which kayobe fails to read to generate public-openrc.sh. Block only Ansible 2.9.12 as the next release should include a revert of this change. [1] ansible/ansible#71200 Change-Id: I3de408d384141eee1a088d222dca7d583251a297 Story: 2008011 Task: 40661
Ansible 2.9.12 changed default permissions of created files to 600 [1]. This breaks kayobe because kolla-ansible generates admin-openrc.sh owned by root:root with mode 0600, which kayobe fails to read to generate public-openrc.sh. Block only Ansible 2.9.12 as the next release should include a revert of this change. [1] ansible/ansible#71200 Depends-On: https://review.opendev.org/746220 Change-Id: I3de408d384141eee1a088d222dca7d583251a297 Story: 2008011 Task: 40661
* Update kayobe from branch 'master' - Block Ansible 2.9.12 Ansible 2.9.12 changed default permissions of created files to 600 [1]. This breaks kayobe because kolla-ansible generates admin-openrc.sh owned by root:root with mode 0600, which kayobe fails to read to generate public-openrc.sh. Block only Ansible 2.9.12 as the next release should include a revert of this change. [1] ansible/ansible#71200 Depends-On: https://review.opendev.org/746220 Change-Id: I3de408d384141eee1a088d222dca7d583251a297 Story: 2008011 Task: 40661
https://github.com/ansible/ansible-lint/blob/master/lib/ansiblelint/rules/MissingFilePermissionsRule.py ansible-lint now recommends setting explicit file modes ansible/ansible#71200 use 0600 for sensitive files, 0644 for other files remove root:root owner/group directives sice this is the default clean apt module calls, don't forcefully update apt caches
This patch ensures that the 'E208' error reported by 'ansible-lint' is fixed in all DebOps roles. The file permissions in files and directories created by Ansible need to be specified explicitly. Ref: ansible/ansible#71200
This patch ensures that the 'E208' error reported by 'ansible-lint' is fixed in all DebOps roles. The file permissions in files and directories created by Ansible need to be specified explicitly. Ref: ansible/ansible#71200 (cherry picked from commit 059e685)
This patch ensures that the 'E208' error reported by 'ansible-lint' is fixed in all DebOps roles. The file permissions in files and directories created by Ansible need to be specified explicitly. Ref: ansible/ansible#71200 (cherry picked from commit 059e685) (cherry picked from commit b79f473)
Since Ansible 2.9.12 or 2.8.14, Ansible shows the following warning, when a file gets created with `mode` is not specified in the config. ``` [WARNING]: File '/tmp/kube-apiserver.tar' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning. ``` To get rid of such a warning, specify `mode` to 0600 when creating files, as much as possible. See also ansible/ansible#71200 .
Since Ansible 2.9.12 or 2.8.14, Ansible shows the following warning, when a file gets created with `mode` is not specified in the config. ``` [WARNING]: File '/tmp/kube-apiserver.tar' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning. ``` To get rid of such a warning, specify `mode` to 0600 when creating files, as much as possible. See also ansible/ansible#71200 .
Since Ansible 2.9.12 or 2.8.14, Ansible shows the following warning, when a file gets created with `mode` not being specified in the config. ``` [WARNING]: File '/tmp/kube-apiserver.tar' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning. ``` To get rid of such a warning, specify `mode` to 0600 when creating files, as much as possible. See also ansible/ansible#71200 .
Since Ansible 2.9.12 or 2.8.14, Ansible shows the following warning, when a file gets created with `mode` not being specified in the config. ``` [WARNING]: File '/tmp/kube-apiserver.tar' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning. ``` To get rid of such a warning, specify `mode` to correct modes like 0600 when creating files, as much as possible. See also ansible/ansible#71200 .
… by ansible Unfortunatelly, catastrophic and (IMHO) completely wrong changes which normal users don't expect, without enough discussions and notice to users using security as an excuse, looks merged into ansible upstream. To avoid accidents, we need to instruct ansible not change the file permission mode *explicitly* as of now. See also the followings: - ansible/ansible#71200 - ansible/ansible-lint#943
Since Ansible 2.9.12 or 2.8.14, Ansible shows the following warning, when a file gets created with `mode` not being specified in the config. ``` [WARNING]: File '/tmp/kube-apiserver.tar' created with default permissions '600'. The previous default was '666'. Specify 'mode' to avoid this warning. ``` To get rid of such a warning, specify `mode` to correct modes like 0644 when creating files, as much as possible. See also ansible/ansible#71200 .
Pins the Ansible version to 2.9.11 to avoid a breaking change to the default file mode in 2.9.12 (ansible/ansible#71200)
SUMMARY
#70221, having been backported to stable branches (2.9: #70825, 2.8: #70827), killed my beloved kitties.
ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
POSIX platforms
STEPS TO REPRODUCE
EXPECTED RESULTS
I expected my kitty to be readable by all users as it was before (before 2.9.12, 2.8.14; mode=0644).
ACTUAL RESULTS
Other users cannot read my kitty (mode=0600).
The text was updated successfully, but these errors were encountered: