-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[stable-2.8] Change default file permissions so they are not world readable (#70221) #70827
Merged
relrod
merged 6 commits into
ansible:stable-2.8
from
samdoran:backport-5260527-stable-2.8
Aug 7, 2020
Merged
[stable-2.8] Change default file permissions so they are not world readable (#70221) #70827
relrod
merged 6 commits into
ansible:stable-2.8
from
samdoran:backport-5260527-stable-2.8
Aug 7, 2020
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
samdoran
force-pushed
the
backport-5260527-stable-2.8
branch
from
July 22, 2020 21:28
cca2c0e
to
3d1c9c6
Compare
ansibot
added
affects_2.8
This issue/PR affects Ansible v2.8
backport
This PR does not target the devel branch.
bug
This issue/PR relates to a bug.
core_review
In order to be merged, this PR must follow the core review workflow.
docs
This issue/PR relates to or includes documentation.
needs_triage
Needs a first human triage before being processed.
support:community
This issue/PR relates to code supported by the Ansible community.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
labels
Jul 22, 2020
The test
The test
|
ansibot
added
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
and removed
core_review
In order to be merged, this PR must follow the core review workflow.
labels
Jul 22, 2020
…adable (ansible#70221) * Change default file permissions so they are not world readable CVE-2020-1736 Set the default permissions for files we create with atomic_move() to 0o0660. Track which files we create that did not exist and warn if the module supports 'mode' and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults. A code audit is needed to find all instances of modules that call atomic_move() but do not call set_mode_if_different(). The findings need to be documented in a changelog since we are not warning. Warning in those instances would be frustrating to the user since they have no way to change the module code. - use a set for storing list of created files - just check the argument spac and params rather than using another property - improve the warning message to include the default permissions. (cherry picked from commit 5260527) Co-authored-by: Sam Doran <sdoran@redhat.com>
samdoran
force-pushed
the
backport-5260527-stable-2.8
branch
from
July 23, 2020 13:50
3d1c9c6
to
fea3bcc
Compare
ansibot
added
core_review
In order to be merged, this PR must follow the core review workflow.
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
and removed
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
core_review
In order to be merged, this PR must follow the core review workflow.
labels
Jul 23, 2020
samdoran
added
the
ci_verified
Changes made in this PR are causing tests to fail.
label
Jul 24, 2020
ansibot
added
core_review
In order to be merged, this PR must follow the core review workflow.
system
System category
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
and removed
ci_verified
Changes made in this PR are causing tests to fail.
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
core_review
In order to be merged, this PR must follow the core review workflow.
labels
Jul 27, 2020
samdoran
added
the
ci_verified
Changes made in this PR are causing tests to fail.
label
Jul 29, 2020
ansibot
added
test
This PR relates to tests.
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
core_review
In order to be merged, this PR must follow the core review workflow.
and removed
core_review
In order to be merged, this PR must follow the core review workflow.
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
labels
Jul 29, 2020
The test
|
ansibot
added
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
and removed
core_review
In order to be merged, this PR must follow the core review workflow.
labels
Jul 30, 2020
samdoran
added
the
ci_verified
Changes made in this PR are causing tests to fail.
label
Jul 31, 2020
…nsible#70976) Follow up to ansible#70221 Related to ansible#67794 CVE-2020-1736 When set_mode_if_different() is called with mode of 'None', ensure we issue a warning about the change in default permissions. Add integration tests to ensure the warning works properly. * Fix tests - actually use custom module 🤦♂️ - verify file permission on created files - use remote_tmp_dir so we're ready for split controller - improve test module so we can skip the call to set_fs_attributes_if_different() - fix tests for CentOS 6 (cherry picked from commit dc79528)
samdoran
force-pushed
the
backport-5260527-stable-2.8
branch
from
August 3, 2020 18:12
5c3067d
to
f8ab1ba
Compare
ansibot
added
core_review
In order to be merged, this PR must follow the core review workflow.
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
and removed
ci_verified
Changes made in this PR are causing tests to fail.
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
core_review
In order to be merged, this PR must follow the core review workflow.
labels
Aug 3, 2020
relrod
reviewed
Aug 6, 2020
relrod
reviewed
Aug 6, 2020
ansibot
added
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
and removed
core_review
In order to be merged, this PR must follow the core review workflow.
labels
Aug 6, 2020
samdoran
added a commit
to samdoran/ansible
that referenced
this pull request
Aug 12, 2020
…world readable (ansible#70221) (ansible#70827)" This reverts commit 11738ae.
sivel
removed
the
needs_triage
Needs a first human triage before being processed.
label
Aug 12, 2020
relrod
pushed a commit
that referenced
this pull request
Aug 12, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
affects_2.8
This issue/PR affects Ansible v2.8
backport
This PR does not target the devel branch.
bug
This issue/PR relates to a bug.
collection:community.aws
collection
Related to Ansible Collections work
docs
This issue/PR relates to or includes documentation.
needs_revision
This PR fails CI tests or a maintainer has requested a review/revision of the PR.
security
Related to a vulnerability or CVE
support:community
This issue/PR relates to code supported by the Ansible community.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
system
System category
test
This PR relates to tests.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Backport of #70221 for Ansible 2.8
CVE-2020-1736
ISSUE TYPE
COMPONENT NAME
lib/ansible/module_utils/basic.py
lib/ansible/module_utils/common/file.py