Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vault-password: ensure other users can't read vault password #11756

Open
wants to merge 1 commit into
base: devel
from

Conversation

@billwanjohi
Copy link
Contributor

commented Jul 27, 2015

SUMMARY

Take 2 on #11754, this time on live code, and after testing locally.

ISSUE TYPE

Feature Pull Request

COMPONENT NAME

lib/ansible/cli/init.py

ANSIBLE VERSION

2.3

ADDITIONAL INFORMATION
@bcoca

This comment has been minimized.

Copy link
Member

commented Jul 27, 2015

I'm not sure we want this, many times a group shares a vault file, permissions should be up to the user as the context can vary.

@billwanjohi

This comment has been minimized.

Copy link
Contributor Author

commented Jul 27, 2015

I took inspiration for this from other common utilities like ssh-agent and postgresql that will fail when given overly permissive files. Example from postgresql documentation:

On Unix systems, the permissions on .pgpass must disallow any access to world or group; achieve this by the command chmod 0600 ~/.pgpass. If the permissions are less strict than this, the file will be ignored.

I do follow you that this would be a nuisance to some subset of users (though I doubt many), but this is such an important security consideration that I'd argue for the interests of the majority of users, who will be better served by the more restrictive default.

(Ideally I'd even like to confirm that the file isn't tracked by git or other revision control systems, but that's for another pull request.)

@bcoca

This comment has been minimized.

Copy link
Member

commented Jul 27, 2015

I don't think it is a minority as vault is frequently used within a team setting, I would make it into a config enforce_vault_permissions=0440, for example.

@amenonsen

This comment has been minimized.

Copy link
Contributor

commented Jul 28, 2015

That makes sense to me: if enforce_vault_permissions is set to something and the permissions don't match, complain. If it's not set, don't do anything. (But that means this PR also needs a documentation update.)

@jimi-c jimi-c removed the P4 label Dec 7, 2015

@alikins alikins self-assigned this May 26, 2016

@ansibot ansibot added needs_rebase and removed needs_rebase labels Jan 2, 2017

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Jan 5, 2017

@billwanjohi This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests.

click here for bot help

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Jan 6, 2017

@billwanjohi This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests.

click here for bot help

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2017

@billwanjohi Greetings! Thanks for taking the time to open this pullrequest. In order for the community to handle your pullrequest effectively, we need a bit more information.

Here are the items we could not find in your description:

  • issue type
  • ansible version
  • component name

Please set the description of this pullrequest with this template:
https://raw.githubusercontent.com/ansible/ansible/devel/.github/PULL_REQUEST_TEMPLATE.md

click here for bot help

@ansibot ansibot added the cli/ label Sep 7, 2017

@ansibot ansibot added feature and removed feature_pull_request labels Mar 2, 2018

@jstoja

This comment has been minimized.

Copy link

commented Sep 13, 2018

I don't think this relates very well to ssh-agent or pgsql .pgpass file that are clear text. Ansible vault like is encrypted, which means that even if you have access to it, you cannot read its content. Limiting the permission too is nice, but if it's not done, I don't think it deserves any warning. cc @bcoca

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.