diff --git a/changelogs/fragments/67353-docker_login-permissions.yml b/changelogs/fragments/67353-docker_login-permissions.yml new file mode 100644 index 00000000000..ddb38e0fd4e --- /dev/null +++ b/changelogs/fragments/67353-docker_login-permissions.yml @@ -0,0 +1,2 @@ +bugfixes: +- "docker_login - make sure that ``~/.docker/config.json`` is created with permissions ``0600``." diff --git a/lib/ansible/modules/cloud/docker/docker_login.py b/lib/ansible/modules/cloud/docker/docker_login.py index fec48a8acfa..c1a1bad7903 100644 --- a/lib/ansible/modules/cloud/docker/docker_login.py +++ b/lib/ansible/modules/cloud/docker/docker_login.py @@ -244,9 +244,13 @@ class DockerFileStore(object): dir = os.path.dirname(self._config_path) if not os.path.exists(dir): os.makedirs(dir) - # Write config - with open(self._config_path, "w") as f: - json.dump(self._config, f, indent=4, sort_keys=True) + # Write config; make sure it has permissions 0x600 + content = json.dumps(self._config, indent=4, sort_keys=True).encode('utf-8') + f = os.open(self._config_path, os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600) + try: + os.write(f, content) + finally: + os.close(f) def store(self, server, username, password): ''' diff --git a/test/integration/targets/docker_login/tasks/tests/docker_login.yml b/test/integration/targets/docker_login/tasks/tests/docker_login.yml index a1d12097db9..33aaf08feaa 100644 --- a/test/integration/targets/docker_login/tasks/tests/docker_login.yml +++ b/test/integration/targets/docker_login/tasks/tests/docker_login.yml @@ -43,6 +43,11 @@ state: present register: login_2 +- name: Get permissions of ~/.docker/config.json + stat: + path: ~/.docker/config.json + register: login_2_stat + - name: Log in (idempotent) docker_login: registry_url: "{{ registry_frontend_address }}" @@ -67,6 +72,7 @@ - login_2 is changed - login_3 is not changed - login_4 is not changed + - login_2_stat.stat.mode == '0600' - name: Log in again with wrong password (check mode) docker_login: