archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[ansiballz] ensure that '' is not in sys.path (#69342)

Browse Source 
Change:
On OpenBSD when using pipelining, we do not set cwd which results in a
permissions fatal. Ensure that `''` - cwd - is not in `sys.path`.

Test Plan:
Tested against local OpenBSD VM

Tickets:
Fixes #69320

Signed-off-by: Rick Elrod <rick@elrod.me>
pull/69800/head
Rick Elrod 5 years ago committed by GitHub
parent 79ab798427
commit 2abaf320d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File

2
changelogs/fragments/69320-sys-path-cwd.yml
Unescape Escape View File

@ -0,0 +1,2 @@
bugfixes:
- ansiballz - remove '' and '.' from sys.path to fix a permissions issue on OpenBSD with pipelining (#69320)

1
docs/docsite/rst/porting_guides/porting_guide_2.10.rst
Unescape Escape View File

@ -138,6 +138,7 @@ Noteworthy module changes
* The parameter ``message`` in :ref:`grafana_dashboard <grafana_dashboard_module>` module is renamed to ``commit_message`` since ``message`` is used by Ansible Core engine internally. * The parameter ``message`` in :ref:`grafana_dashboard <grafana_dashboard_module>` module is renamed to ``commit_message`` since ``message`` is used by Ansible Core engine internally.
* The parameter ``message`` in :ref:`datadog_monitor <datadog_monitor_module>` module is renamed to ``notification_message`` since ``message`` is used by Ansible Core engine internally. * The parameter ``message`` in :ref:`datadog_monitor <datadog_monitor_module>` module is renamed to ``notification_message`` since ``message`` is used by Ansible Core engine internally.
* The parameter ``message`` in :ref:`bigpanda <bigpanda_module>` module is renamed to ``deployment_message`` since ``message`` is used by Ansible Core engine internally. * The parameter ``message`` in :ref:`bigpanda <bigpanda_module>` module is renamed to ``deployment_message`` since ``message`` is used by Ansible Core engine internally.
* Ansible no longer looks for Python modules in the current working directory (typically the ``remote_user``'s home directory) when an Ansible module is run. This is to fix becoming an unprivileged user on OpenBSD and to mitigate any attack vector if the current working directory is writable by a malicious user. Install any Python modules needed to run the Ansible modules on the managed node in a system-wide location or in another directory which is in the ``remote_user``'s ``$PYTHONPATH`` and readable by the ``become_user``.
Plugins Plugins

6
lib/ansible/executor/module_common.py
Unescape Escape View File

@ -143,8 +143,10 @@ def _ansiballz_main():
# OSX raises OSError if using abspath() in a directory we don't have # OSX raises OSError if using abspath() in a directory we don't have
# permission to read (realpath calls abspath) # permission to read (realpath calls abspath)
pass pass
if scriptdir is not None:
sys.path = [p for p in sys.path if p != scriptdir] # Strip cwd from sys.path to avoid potential permissions issues
excludes = set(('', '.', scriptdir))
sys.path = [p for p in sys.path if p not in excludes]
import base64 import base64
import runpy import runpy

Write Preview
Loading…
Cancel
Save