From 2abaf320d746c8680a0ce595ad0de93639c7e539 Mon Sep 17 00:00:00 2001
From: Rick Elrod <rick@elrod.me>
Date: Mon, 1 Jun 2020 03:43:20 -0500
Subject: [PATCH] [ansiballz] ensure that '' is not in sys.path (#69342)

Change:
On OpenBSD when using pipelining, we do not set cwd which results in a
permissions fatal. Ensure that `''` - cwd - is not in `sys.path`.

Test Plan:
Tested against local OpenBSD VM

Tickets:
Fixes #69320

Signed-off-by: Rick Elrod <rick@elrod.me>
---
 changelogs/fragments/69320-sys-path-cwd.yml            | 2 ++
 docs/docsite/rst/porting_guides/porting_guide_2.10.rst | 1 +
 lib/ansible/executor/module_common.py                  | 6 ++++--
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/69320-sys-path-cwd.yml

diff --git a/changelogs/fragments/69320-sys-path-cwd.yml b/changelogs/fragments/69320-sys-path-cwd.yml
new file mode 100644
index 00000000000..2d86c450a07
--- /dev/null
+++ b/changelogs/fragments/69320-sys-path-cwd.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - ansiballz - remove '' and '.' from sys.path to fix a permissions issue on OpenBSD with pipelining (#69320)
diff --git a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst
index 54b2989c494..9b6073de00e 100644
--- a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst
+++ b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst
@@ -138,6 +138,7 @@ Noteworthy module changes
 * The parameter ``message`` in :ref:`grafana_dashboard <grafana_dashboard_module>` module is renamed to ``commit_message`` since ``message`` is used by Ansible Core engine internally.
 * The parameter ``message`` in :ref:`datadog_monitor <datadog_monitor_module>` module is renamed to ``notification_message`` since ``message`` is used by Ansible Core engine internally.
 * The parameter ``message`` in :ref:`bigpanda <bigpanda_module>` module is renamed to ``deployment_message`` since ``message`` is used by Ansible Core engine internally.
+* Ansible no longer looks for Python modules in the current working directory (typically the ``remote_user``'s home directory) when an Ansible module is run. This is to fix becoming an unprivileged user on OpenBSD and to mitigate any attack vector if the current working directory is writable by a malicious user. Install any Python modules needed to run the Ansible modules on the managed node in a system-wide location or in another directory which is in the ``remote_user``'s ``$PYTHONPATH`` and readable by the ``become_user``.
 
 
 Plugins
diff --git a/lib/ansible/executor/module_common.py b/lib/ansible/executor/module_common.py
index fea097cf903..05b1e8ab2f6 100644
--- a/lib/ansible/executor/module_common.py
+++ b/lib/ansible/executor/module_common.py
@@ -143,8 +143,10 @@ def _ansiballz_main():
         # OSX raises OSError if using abspath() in a directory we don't have
         # permission to read (realpath calls abspath)
         pass
-    if scriptdir is not None:
-        sys.path = [p for p in sys.path if p != scriptdir]
+
+    # Strip cwd from sys.path to avoid potential permissions issues
+    excludes = set(('', '.', scriptdir))
+    sys.path = [p for p in sys.path if p not in excludes]
 
     import base64
     import runpy