Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vault-password: ensure other users can't read vault password #11756

Open
wants to merge 1 commit into
base: devel
Choose a base branch
from

Conversation

@billwanjohi
Copy link
Contributor

@billwanjohi billwanjohi commented Jul 27, 2015

SUMMARY

Take 2 on #11754, this time on live code, and after testing locally.

ISSUE TYPE

Feature Pull Request

COMPONENT NAME

lib/ansible/cli/init.py

ANSIBLE VERSION

2.3

ADDITIONAL INFORMATION
@bcoca
Copy link
Member

@bcoca bcoca commented Jul 27, 2015

I'm not sure we want this, many times a group shares a vault file, permissions should be up to the user as the context can vary.

Loading

@billwanjohi
Copy link
Contributor Author

@billwanjohi billwanjohi commented Jul 27, 2015

I took inspiration for this from other common utilities like ssh-agent and postgresql that will fail when given overly permissive files. Example from postgresql documentation:

On Unix systems, the permissions on .pgpass must disallow any access to world or group; achieve this by the command chmod 0600 ~/.pgpass. If the permissions are less strict than this, the file will be ignored.

I do follow you that this would be a nuisance to some subset of users (though I doubt many), but this is such an important security consideration that I'd argue for the interests of the majority of users, who will be better served by the more restrictive default.

(Ideally I'd even like to confirm that the file isn't tracked by git or other revision control systems, but that's for another pull request.)

Loading

@bcoca
Copy link
Member

@bcoca bcoca commented Jul 27, 2015

I don't think it is a minority as vault is frequently used within a team setting, I would make it into a config enforce_vault_permissions=0440, for example.

Loading

@amenonsen
Copy link
Contributor

@amenonsen amenonsen commented Jul 28, 2015

That makes sense to me: if enforce_vault_permissions is set to something and the permissions don't match, complain. If it's not set, don't do anything. (But that means this PR also needs a documentation update.)

Loading

@ansibot
Copy link
Contributor

@ansibot ansibot commented Jan 5, 2017

@billwanjohi This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests.

click here for bot help

Loading

@ansibot
Copy link
Contributor

@ansibot ansibot commented Jan 6, 2017

@billwanjohi This PR was tested by travis-ci.org, which is no longer used. Please rebase your branch to trigger running of current tests.

click here for bot help

Loading

@ansibot
Copy link
Contributor

@ansibot ansibot commented Apr 4, 2017

@billwanjohi Greetings! Thanks for taking the time to open this pullrequest. In order for the community to handle your pullrequest effectively, we need a bit more information.

Here are the items we could not find in your description:

  • issue type
  • ansible version
  • component name

Please set the description of this pullrequest with this template:
https://raw.githubusercontent.com/ansible/ansible/devel/.github/PULL_REQUEST_TEMPLATE.md

click here for bot help

Loading

@jstoja
Copy link

@jstoja jstoja commented Sep 13, 2018

I don't think this relates very well to ssh-agent or pgsql .pgpass file that are clear text. Ansible vault like is encrypted, which means that even if you have access to it, you cannot read its content. Limiting the permission too is nice, but if it's not done, I don't think it deserves any warning. cc @bcoca

Loading

@kenyon
Copy link
Contributor

@kenyon kenyon commented Nov 23, 2019

I don't think this relates very well to ssh-agent or pgsql .pgpass file that are clear text. Ansible vault like is encrypted, which means that even if you have access to it, you cannot read its content. Limiting the permission too is nice, but if it's not done, I don't think it deserves any warning. cc @bcoca

This is about the vault password file, not the vault data files themselves. That is, the --vault-password-file referred to in ansible-vault.

Loading

@jstoja
Copy link

@jstoja jstoja commented Nov 26, 2019

Loading

@kenyon
Copy link
Contributor

@kenyon kenyon commented Nov 26, 2019

IMO if a group is sharing a vault, each user should have their own password file (if they want). That way restrictive permissions could be enforced as suggested.

Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

10 participants