Ansible reads group_vars from cwd with precedence #16953
Comments
kustodian
changed the title
|
I believe this is a similar issue to #16956 |
|
Any news about when will this issue big fixed, since this is a security concern. Variables which Ansible reads from the current working directory can bet set that way to make the managed host(s) unusable. |
The flag new_pb_basedir is not being utilized in Inventory._get_hostgroup_vars, leading to the situation where an inventory with no playbook basedir set will read host/group vars from the $CWD, regardless of the inventory and/or playbook relative location. This patch corrects that by not using the playbook basedir if it is unset (None). This patch also corrects a bug in which the VariableManager would accumulate host/group vars files, which could lead to incorrect vars files being used when playbooks are run from different directories containing their own group/host vars directories. Fixes #16953
The flag new_pb_basedir is not being utilized in Inventory._get_hostgroup_vars, leading to the situation where an inventory with no playbook basedir set will read host/group vars from the $CWD, regardless of the inventory and/or playbook relative location. This patch corrects that by not using the playbook basedir if it is unset (None). This patch also corrects a bug in which the VariableManager would accumulate host/group vars files, which could lead to incorrect vars files being used when playbooks are run from different directories containing their own group/host vars directories. Fixes #16953 (cherry picked from commit b617d62)
Closing This TicketHi! We believe the above commit should resolve this problem for you. This will also be included in the next release. If you continue seeing any problems related to this issue, or if you have any further questions, please let us know by stopping by one of the two mailing lists, as appropriate:
Because this project is very active, we're unlikely to see comments made on closed tickets, but the mailing list is a great way to ask questions, or post if you don't think this particular issue is resolved. Thank you! |
|
Hill,kustodian |
|
@GoodHaHa 2.1.2 should fix the issue. |
|
@kustodian Thinks very much. |
The flag new_pb_basedir is not being utilized in Inventory._get_hostgroup_vars, leading to the situation where an inventory with no playbook basedir set will read host/group vars from the $CWD, regardless of the inventory and/or playbook relative location. This patch corrects that by not using the playbook basedir if it is unset (None). This patch also corrects a bug in which the VariableManager would accumulate host/group vars files, which could lead to incorrect vars files being used when playbooks are run from different directories containing their own group/host vars directories. Fixes ansible#16953
ISSUE TYPE
ANSIBLE VERSION
CONFIGURATION
N/A
OS / ENVIRONMENT
Ubuntu/CentOS
SUMMARY
If the inventory and the playbook are not in the current working directory (cwd), and
group_varsexists in cwd, Ansible will read variables fromcwd/group_varsand will even give them precedence. This only happens if the same file exists in both group_vars of cwd and the inventory. TheSTEPS TO REPRODUCE
Here is a simple repro. Create a file structure like this:
Run
site.ymlwith this inventory:EXPECTED RESULTS
It should display
var1: "Set in inventory".ACTUAL RESULTS
It actually displays the value of the variable defined in cwd:
The text was updated successfully, but these errors were encountered: