Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[stable-2.10] Revert default mode changes (#71260)
* Revert "[stable-2.10] Revert "Change default file permissions so they are not world readable (#70221) (#70824)" (#71236)" This reverts commit c968020. * Revert "Remove porting guide entry related to reverted change (#71242)" This reverts commit 006a21e.
- Loading branch information
Showing
11 changed files
with
191 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
bugfixes: | ||
- > | ||
**security issue** atomic_move - change default permissions when creating | ||
temporary files so they are not world readable (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736) |
4 changes: 4 additions & 0 deletions
4
changelogs/fragments/67794-default-permissions-warning-fix.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
bugfixes: | ||
- > | ||
Fix warning for default permission change when no mode is specified. Follow up | ||
to https://github.com/ansible/ansible/issues/67794. (CVE-2020-1736) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
shippable/posix/group5 |
36 changes: 36 additions & 0 deletions
36
test/integration/targets/module_utils_basic/library/test_perm_warning.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#!/usr/bin/python | ||
# -*- coding: utf-8 -*- | ||
# Copyright (c) 2020 Ansible Project | ||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) | ||
|
||
from __future__ import absolute_import, division, print_function | ||
__metaclass__ = type | ||
|
||
import tempfile | ||
|
||
from ansible.module_utils.basic import AnsibleModule | ||
|
||
|
||
def main(): | ||
module = AnsibleModule( | ||
argument_spec={ | ||
'dest': {'type': 'path'}, | ||
'call_fs_attributes': {'type': 'bool', 'default': True}, | ||
}, | ||
add_file_common_args=True, | ||
) | ||
|
||
results = {} | ||
|
||
with tempfile.NamedTemporaryFile(delete=False) as tf: | ||
file_args = module.load_file_common_arguments(module.params) | ||
module.atomic_move(tf.name, module.params['dest']) | ||
|
||
if module.params['call_fs_attributes']: | ||
results['changed'] = module.set_fs_attributes_if_different(file_args, True) | ||
|
||
module.exit_json(**results) | ||
|
||
|
||
if __name__ == '__main__': | ||
main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
dependencies: | ||
- setup_remote_tmp_dir |
33 changes: 33 additions & 0 deletions
33
test/integration/targets/module_utils_basic/tasks/main.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
- name: Run task with no mode | ||
test_perm_warning: | ||
dest: "{{ remote_tmp_dir }}/endangerdisown" | ||
register: no_mode_results | ||
|
||
- name: Run task with mode | ||
test_perm_warning: | ||
mode: '0644' | ||
dest: "{{ remote_tmp_dir }}/groveestablish" | ||
register: with_mode_results | ||
|
||
- name: Run task without calling set_fs_attributes_if_different() | ||
test_perm_warning: | ||
call_fs_attributes: no | ||
dest: "{{ remote_tmp_dir }}/referabletank" | ||
register: skip_fs_attributes | ||
|
||
- stat: | ||
path: "{{ remote_tmp_dir }}/{{ item }}" | ||
loop: | ||
- endangerdisown | ||
- groveestablish | ||
register: files | ||
|
||
- name: Ensure we get a warning when appropriate | ||
assert: | ||
that: | ||
- no_mode_results.warnings | default([], True) | length == 1 | ||
- "'created with default permissions' in no_mode_results.warnings[0]" | ||
- files.results[0]['stat']['mode'] == '0600' | ||
- files.results[1]['stat']['mode'] == '0644' | ||
- with_mode_results.warnings is not defined # The Jinja version on CentOS 6 does not support default([], True) | ||
- skip_fs_attributes.warnings | default([], True) | length == 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters