Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable-2.8] Change default file permissions so they are not world readable (#70221) #70827

Merged
merged 6 commits into from
Aug 7, 2020
Merged

[stable-2.8] Change default file permissions so they are not world readable (#70221) #70827

merged 6 commits into from
Aug 7, 2020

Conversation

samdoran
Copy link
Contributor

SUMMARY

Backport of #70221 for Ansible 2.8

CVE-2020-1736

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

lib/ansible/module_utils/basic.py
lib/ansible/module_utils/common/file.py

@samdoran samdoran added the security Related to a vulnerability or CVE label Jul 22, 2020
@samdoran samdoran force-pushed the backport-5260527-stable-2.8 branch from cca2c0e to 3d1c9c6 Compare July 22, 2020 21:28
@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. core_review In order to be merged, this PR must follow the core review workflow. docs This issue/PR relates to or includes documentation. needs_triage Needs a first human triage before being processed. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Jul 22, 2020
@ansibot
Copy link
Contributor

ansibot commented Jul 22, 2020

The test ansible-test sanity --test docs-build [explain] failed with 4 errors:

docs/docsite/rst/index.rst:0:0: unknown: 
docs/docsite/rst/index.rst:0:0: unknown: ++++++++++
docs/docsite/rst/index.rst:0:0: unknown: Code Audit
docs/docsite/rst/porting_guides/porting_guide_2.8.rst:402:0: warning: Title level inconsistent:

The test ansible-test sanity --test rstcheck [explain] failed with 1 error:

docs/docsite/rst/porting_guides/porting_guide_2.8.rst:402:0: Title level inconsistent:

click here for bot help

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Jul 22, 2020
@samdoran
[stable-2.8] Change default file permissions so they are not world re…
fea3bcc 
…adable (ansible#70221)

* Change default file permissions so they are not world readable

CVE-2020-1736

Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.

A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.

- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527)

Co-authored-by: Sam Doran <sdoran@redhat.com>
@samdoran samdoran force-pushed the backport-5260527-stable-2.8 branch from 3d1c9c6 to fea3bcc Compare July 23, 2020 13:50
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. core_review In order to be merged, this PR must follow the core review workflow. labels Jul 23, 2020
@samdoran samdoran added the ci_verified Changes made in this PR are causing tests to fail. label Jul 24, 2020
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. system System category needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. core_review In order to be merged, this PR must follow the core review workflow. labels Jul 27, 2020
@samdoran samdoran added the ci_verified Changes made in this PR are causing tests to fail. label Jul 29, 2020
@samdoran samdoran marked this pull request as draft July 29, 2020 20:58
@samdoran
Copy link
Contributor Author

This PR needs #70976 as well since this fix has a bug that was fixed in #70976.

@ansibot ansibot added test This PR relates to tests. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. core_review In order to be merged, this PR must follow the core review workflow. and removed core_review In order to be merged, this PR must follow the core review workflow. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. labels Jul 29, 2020
@ansibot
Copy link
Contributor

ansibot commented Jul 30, 2020

The test ansible-test sanity --test integration-aliases [explain] failed with 1 error:

test/integration/targets/module_utils_basic/aliases:0:0: missing alias `shippable/posix/group[1-4]` or `unsupported`

click here for bot help

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Jul 30, 2020
@samdoran samdoran added the ci_verified Changes made in this PR are causing tests to fail. label Jul 31, 2020
@samdoran
Fix warning for new default permissions when mode is not specified (a…
f8ab1ba 
…nsible#70976)

Follow up to ansible#70221
Related to ansible#67794
CVE-2020-1736

When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.

Add integration tests to ensure the warning works properly.

* Fix tests
- actually use custom module 🤦‍♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6

(cherry picked from commit dc79528)
@samdoran samdoran force-pushed the backport-5260527-stable-2.8 branch from 5c3067d to f8ab1ba Compare August 3, 2020 18:12
@samdoran samdoran marked this pull request as ready for review August 3, 2020 18:13
@ansibot ansibot added core_review In order to be merged, this PR must follow the core review workflow. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. core_review In order to be merged, this PR must follow the core review workflow. labels Aug 3, 2020
@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Aug 6, 2020
@relrod relrod merged commit 11738ae into ansible:stable-2.8 Aug 7, 2020
@yoctozepto yoctozepto mentioned this pull request Aug 11, 2020
Closed
samdoran added a commit to samdoran/ansible that referenced this pull request Aug 12, 2020
@samdoran
Revert "[stable-2.8] Change default file permissions so they are not …
7d08ca0 
…world readable (ansible#70221) (ansible#70827)"

This reverts commit 11738ae.
@sivel sivel removed the needs_triage Needs a first human triage before being processed. label Aug 12, 2020
relrod pushed a commit that referenced this pull request Aug 12, 2020
@samdoran
Revert "[stable-2.8] Change default file permissions so they are not …
c6eff6b 
…world readable (#70221) (#70827)" (#71233)

This reverts commit 11738ae.
@ansible ansible locked and limited conversation to collaborators Sep 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@relrod relrod relrod left review comments

Assignees
No one assigned
Labels
affects_2.8 This issue/PR affects Ansible v2.8 backport This PR does not target the devel branch. bug This issue/PR relates to a bug. collection:community.aws collection Related to Ansible Collections work docs This issue/PR relates to or includes documentation. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. security Related to a vulnerability or CVE support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@samdoran @ansibot @relrod @sivel