Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: RCE by leveraging extra-vars #33

Closed
simonvik opened this issue Mar 21, 2024 · 3 comments
Closed

Problem: RCE by leveraging extra-vars #33

simonvik opened this issue Mar 21, 2024 · 3 comments
Assignees
@ansibleguy
Labels
documentation Improvements or additions to documentation security Security

Comments

@simonvik
Copy link

Versions

Scope

Unknown

Issue

It might not be a problem depending on the security model but it can in theory allow someone to gain more access than they should have.

See: GHSA-4839-8mxx-4xr9
@simonvik simonvik added problem Problem triage Triage labels Mar 21, 2024
@ansibleguy
Copy link
Owner

ansibleguy commented Mar 22, 2024
edited
Loading

Greetings!

Should at least be mentioned in the docs, yeah.
As I see it - even allowing users to execute playbooks is by design a RCE in the context of the executing user. (when target is localhost)

@ansibleguy ansibleguy self-assigned this Mar 22, 2024
@ansibleguy ansibleguy added documentation Improvements or additions to documentation security Security and removed triage Triage problem Problem labels Mar 22, 2024
@ansibleguy ansibleguy changed the title Problem: Allowing extra-vars might enable code-execution on the server executing the ansible-playbook Problem: RCE by leveraging extra-vars Mar 22, 2024
@superstes
Copy link

superstes commented Mar 22, 2024
edited
Loading

Could be nice-to-have to allow a specific runner user. So the execution context is separated from the WebUI context. (Setting in System config)

P.E. User ansible-webui is running the WebUI and ansible-runner user is executing commands
The WebUI user will need system privileges to become the runner user.

@ansibleguy
Copy link
Owner

Could be nice-to-have to allow a specific runner user. So the execution context is separated from the WebUI context. (Setting in System config)

Would be doable if ansible-runner would allow us to specify the subprocess-user (currently not possible).
I've created a feature-request in the ansible-runner repo to find out if they would be OK with adding support for it.

ansibleguy added a commit that referenced this issue Mar 25, 2024
@ansibleguy
added security-warning (#33)
ab170cc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ansibleguy ansibleguy

Labels
documentation Improvements or additions to documentation security Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonvik @superstes @ansibleguy