-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ansible reads group_vars from cwd with precedence #16953
Comments
I believe this is a similar issue to #16956 |
Any news about when will this issue big fixed, since this is a security concern. Variables which Ansible reads from the current working directory can bet set that way to make the managed host(s) unusable. |
The flag new_pb_basedir is not being utilized in Inventory._get_hostgroup_vars, leading to the situation where an inventory with no playbook basedir set will read host/group vars from the $CWD, regardless of the inventory and/or playbook relative location. This patch corrects that by not using the playbook basedir if it is unset (None). This patch also corrects a bug in which the VariableManager would accumulate host/group vars files, which could lead to incorrect vars files being used when playbooks are run from different directories containing their own group/host vars directories. Fixes #16953
The flag new_pb_basedir is not being utilized in Inventory._get_hostgroup_vars, leading to the situation where an inventory with no playbook basedir set will read host/group vars from the $CWD, regardless of the inventory and/or playbook relative location. This patch corrects that by not using the playbook basedir if it is unset (None). This patch also corrects a bug in which the VariableManager would accumulate host/group vars files, which could lead to incorrect vars files being used when playbooks are run from different directories containing their own group/host vars directories. Fixes #16953 (cherry picked from commit b617d62)
Closing This TicketHi! We believe the above commit should resolve this problem for you. This will also be included in the next release. If you continue seeing any problems related to this issue, or if you have any further questions, please let us know by stopping by one of the two mailing lists, as appropriate:
Because this project is very active, we're unlikely to see comments made on closed tickets, but the mailing list is a great way to ask questions, or post if you don't think this particular issue is resolved. Thank you! |
Hill,kustodian |
@GoodHaHa 2.1.2 should fix the issue. |
@kustodian Thinks very much. |
The flag new_pb_basedir is not being utilized in Inventory._get_hostgroup_vars, leading to the situation where an inventory with no playbook basedir set will read host/group vars from the $CWD, regardless of the inventory and/or playbook relative location. This patch corrects that by not using the playbook basedir if it is unset (None). This patch also corrects a bug in which the VariableManager would accumulate host/group vars files, which could lead to incorrect vars files being used when playbooks are run from different directories containing their own group/host vars directories. Fixes ansible#16953
ISSUE TYPE
ANSIBLE VERSION
CONFIGURATION
N/A
OS / ENVIRONMENT
Ubuntu/CentOS
SUMMARY
If the inventory and the playbook are not in the current working directory (cwd), and
group_vars
exists in cwd, Ansible will read variables fromcwd/group_vars
and will even give them precedence. This only happens if the same file exists in both group_vars of cwd and the inventory. TheSTEPS TO REPRODUCE
Here is a simple repro. Create a file structure like this:
Run
site.yml
with this inventory:EXPECTED RESULTS
It should display
var1: "Set in inventory"
.ACTUAL RESULTS
It actually displays the value of the variable defined in cwd:
The text was updated successfully, but these errors were encountered: