-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default file permissions so they are not world readable #70221
Merged
samdoran
merged 7 commits into
ansible:devel
from
samdoran:cve/2020-1736-atomic_move-default-perms
Jul 22, 2020
Merged
Change default file permissions so they are not world readable #70221
samdoran
merged 7 commits into
ansible:devel
from
samdoran:cve/2020-1736-atomic_move-default-perms
Jul 22, 2020
+118
−16
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mattclay
reviewed
Jun 22, 2020
mattclay
reviewed
Jun 23, 2020
CVE-2020-1736 Set the default permissions for files we create with atomic_move() to 0o0660. Track which files we create that did not exist and warn if the module supports 'mode' and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults. A code audit is needed to find all instances of modules that call atomic_move() but do not call set_mode_if_different(). The findings need to be documented in a changelog since we are not warning. Warning in those instances would be frustrating to the user since they have no way to change the module code.
- use a set for storing list of created files - just check the argument spac and params rather than using another property - improve the warning message to include the default permissions
sshnaidm
added a commit
to containers/ansible-podman-collections
that referenced
this pull request
Jul 26, 2020
In podman connection when we copy file to container and work as non-root user, need to set correct ownership for the files. Since ansible change ansible/ansible#70221 it's broken, because of new permissions ansible set to copied files.
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Jul 29, 2020
Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly.
samdoran
added a commit
that referenced
this pull request
Jul 30, 2020
…70976) Follow up to #70221 Related to #67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Jul 30, 2020
…nsible#70976) Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry picked from commit dc79528)
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Jul 30, 2020
…nsible#70976) Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry-picked from commit dc79528)
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Jul 30, 2020
…nsible#70976) Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry picked from commit dc79528)
nitzmahone
pushed a commit
that referenced
this pull request
Jul 30, 2020
…70976) (#70985) Follow up to #70221 Related to #67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry picked from commit dc79528)
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Aug 3, 2020
…nsible#70976) Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry-picked from commit dc79528)
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Aug 3, 2020
…nsible#70976) Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry picked from commit dc79528)
relrod
pushed a commit
that referenced
this pull request
Aug 7, 2020
…adable (#70221) (#70827) * [stable-2.8] Change default file permissions so they are not world readable (#70221) * Change default file permissions so they are not world readable CVE-2020-1736 Set the default permissions for files we create with atomic_move() to 0o0660. Track which files we create that did not exist and warn if the module supports 'mode' and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults. A code audit is needed to find all instances of modules that call atomic_move() but do not call set_mode_if_different(). The findings need to be documented in a changelog since we are not warning. Warning in those instances would be frustrating to the user since they have no way to change the module code. - use a set for storing list of created files - just check the argument spac and params rather than using another property - improve the warning message to include the default permissions. (cherry picked from commit 5260527) Co-authored-by: Sam Doran <sdoran@redhat.com> * Fix service test * Fix lamdba_policy test * Fix aws_lamdba test * Fix warning for new default permissions when mode is not specified (#70976) Follow up to #70221 Related to #67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry picked from commit dc79528) * Use new category in changelog fragments
relrod
pushed a commit
that referenced
this pull request
Aug 7, 2020
…adable (#70221) (#70825) * [stable-2.9] Change default file permissions so they are not world readable (#70221) * Change default file permissions so they are not world readable CVE-2020-1736 Set the default permissions for files we create with atomic_move() to 0o0660. Track which files we create that did not exist and warn if the module supports 'mode' and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults. A code audit is needed to find all instances of modules that call atomic_move() but do not call set_mode_if_different(). The findings need to be documented in a changelog since we are not warning. Warning in those instances would be frustrating to the user since they have no way to change the module code. - use a set for storing list of created files - just check the argument spac and params rather than using another property - improve the warning message to include the default permissions. (cherry picked from commit 5260527) Co-authored-by: Sam Doran <sdoran@redhat.com> * Fix jboss test * Fix lamdba_policy test * Fix aws_lamdba test * Fix warning for new default permissions when mode is not specified (#70976) Follow up to #70221 Related to #67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry-picked from commit dc79528) * Use new category in changelog fragments
zoredache
pushed a commit
to zoredache/ansible
that referenced
this pull request
Aug 10, 2020
…nsible#70976) Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6
openstack-mirroring
pushed a commit
to openstack/openstack
that referenced
this pull request
Aug 11, 2020
* Update kolla-ansible from branch 'master' - Merge "Fix post-deploy mode" - Fix post-deploy mode Ansible changed the default mode for files, even in stable releases. [1] This change restores the previous default (with the common umask). [1] ansible/ansible#70221 Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab Closes-Bug: #1891145
openstack-mirroring
pushed a commit
to openstack/kolla-ansible
that referenced
this pull request
Aug 11, 2020
Ansible changed the default mode for files, even in stable releases. [1] This change restores the previous default (with the common umask). [1] ansible/ansible#70221 Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab Closes-Bug: #1891145
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Aug 12, 2020
ansible#70221)" This reverts commit 5260527.
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Aug 12, 2020
…world readable (ansible#70221) (ansible#70825)" This reverts commit 0199b1c.
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Aug 12, 2020
…world readable (ansible#70221) (ansible#70827)" This reverts commit 11738ae.
relrod
pushed a commit
that referenced
this pull request
Aug 12, 2020
relrod
pushed a commit
that referenced
this pull request
Aug 12, 2020
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Aug 12, 2020
… world readable (ansible#70221) (ansible#70824)" This reverts commit 7e4cffc.
relrod
pushed a commit
that referenced
this pull request
Aug 12, 2020
… world readable (#70221) (#70824)" (#71236) * [stable-2.10] Revert "Fix warning for new default permissions when mode is not specified (#70976) (#70985)" This reverts commit 5cb9608. * [stable-2.10] Revert "Change default file permissions so they are not world readable (#70221) (#70824)" This reverts commit 7e4cffc.
okleinschmidt
pushed a commit
to okleinschmidt/kolla-ansible
that referenced
this pull request
Aug 13, 2020
Ansible changed the default mode for files, even in stable releases. [1] This change restores the previous default (with the common umask). [1] ansible/ansible#70221 Change-Id: I0f81214b4f95fe8a378844745ebc77f3c43027ab Closes-Bug: #1891145
relrod
added a commit
to relrod/ansible
that referenced
this pull request
Aug 13, 2020
… are not world readable (ansible#70221) (ansible#70824)" (ansible#71236)" This reverts commit c968020.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
affects_2.11
bug
This issue/PR relates to a bug.
core_review
In order to be merged, this PR must follow the core review workflow.
docs
This issue/PR relates to or includes documentation.
packaging
Packaging category
security
Related to a vulnerability or CVE
support:community
This issue/PR relates to code supported by the Ansible community.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
CVE-2020-1736
Fixes #67794
Set the default permissions for files we create with
atomic_move()
to0o0600
minus the systemumask
. Track which files were created byatomic_move()
and warn if the module supportsmode
and it was not specified and the module did not callset_mode_if_different()
. This allows the user to take action and specify the permissions rather than using the defaults.A code audit is needed to find all instances of modules that call
atomic_move()
but do not callset_mode_if_different()
. The findings need to be documented in a changelog since we are not warning in this case. Warning in those instances would be frustrating to the user since they have no way to change the module code nor can they specify permissions.ISSUE TYPE
COMPONENT NAME
lib/ansible/module_utils/basic.py
ADDITIONAL INFORMATION
Need to complete