Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing 'mode' on file copy can lead to too restrictive default permissions #314

Closed
geerlingguy opened this issue Aug 14, 2020 · 4 comments

Comments

@geerlingguy
Copy link
Owner

My CI jobs just started failing after Ansible 2.9.12 was released.

I noticed the following failure:

TASK [Verify Apache is serving web requests.] **********************************
fatal: [instance]: FAILED! => {"changed": false, "connection": "close", "content": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p>You don't have permission to access /index.html\non this server.<br />\n</p>\n</body></html>\n", "content_length": "219", "content_type": "text/html; charset=iso-8859-1", "date": "Fri, 14 Aug 2020 15:07:32 GMT", "elapsed": 0, "msg": "Status code was 403 and not [200]: HTTP Error 403: Forbidden", "redirected": false, "server": "Apache/2.4.37 (centos)", "status": 403, "url": "http://localhost/"}

But locally (where I had 2.9.11) it was not failing. It was not until after scanning the rest of the failed job logs that I noticed:

    TASK [Copy a web page.] ********************************************************
    [WARNING]: File '/var/www/html/index.html' created with default permissions
        '600'. The previous default was '666'. Specify 'mode' to avoid this warning.
        changed: [instance]

This seems to be a major breaking change, as I still have a number of file, copy, template, etc. tasks which do not explicitly define a mode, and relied on the default behavior. It looks like others have been hitting this problem too: ansible/ansible#71200

I'm not sure if the default will be changed back, but I guess in general, the best option is to always explicitly define mode now, since the system default will not be used in the name of security.

@dvallis
Copy link

dvallis commented Aug 18, 2020

I've been trying to figure out why a certain playbook wouldn't run. I get the exact error ""The previous default was '666'. Specify 'mode' to avoid this warning." I was on ansible 2.9.12. Problem started a week ago, so it must be this.

What ansible version should I revert to so this error does not happen? Trial and error is taking forever as each time the Playbook fails it breaks networking and apt-get on the target server, so I have to re-install Ubuntu.

@dvallis
Copy link

dvallis commented Aug 18, 2020

FYI, anyone with a playbook broken because of this update the solution is

$pip install ansible==2.9.10

Took me a frigging WEEK to figure out this was the root cause. Grrr.

@yaobinwen-mvs
Copy link

@dvallis According to the Porting Guide 2.9: Change to Default File Permissions, the default permission was changed to address the security issue CVE-2020-1736:

To address CVE-2020-1736, the default permissions for certain files created by Ansible using atomic_move() were changed from 0o666 to 0o600 starting with Ansible 2.9.12.

According to ansible/ansible#67794 (comment), the developers seem to be looking for a less disruptive solution now.

@ivan-at-wiris
Copy link

ivan-at-wiris commented Aug 19, 2020

🤦 Facepalm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants