mirror of https://github.com/ansible/ansible.git
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry picked from commit dc79528cc6
)
pull/71000/head
parent
a8217f1bd4
commit
5cb96087e6
@ -0,0 +1,4 @@
|
||||
bugfixes:
|
||||
- >
|
||||
Fix warning for default permission change when no mode is specified. Follow up
|
||||
to https://github.com/ansible/ansible/issues/67794. (CVE-2020-1736)
|
@ -0,0 +1 @@
|
||||
shippable/posix/group5
|
@ -0,0 +1,36 @@
|
||||
#!/usr/bin/python
|
||||
# -*- coding: utf-8 -*-
|
||||
# Copyright (c) 2020 Ansible Project
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
from __future__ import absolute_import, division, print_function
|
||||
__metaclass__ = type
|
||||
|
||||
import tempfile
|
||||
|
||||
from ansible.module_utils.basic import AnsibleModule
|
||||
|
||||
|
||||
def main():
|
||||
module = AnsibleModule(
|
||||
argument_spec={
|
||||
'dest': {'type': 'path'},
|
||||
'call_fs_attributes': {'type': 'bool', 'default': True},
|
||||
},
|
||||
add_file_common_args=True,
|
||||
)
|
||||
|
||||
results = {}
|
||||
|
||||
with tempfile.NamedTemporaryFile(delete=False) as tf:
|
||||
file_args = module.load_file_common_arguments(module.params)
|
||||
module.atomic_move(tf.name, module.params['dest'])
|
||||
|
||||
if module.params['call_fs_attributes']:
|
||||
results['changed'] = module.set_fs_attributes_if_different(file_args, True)
|
||||
|
||||
module.exit_json(**results)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
@ -0,0 +1,2 @@
|
||||
dependencies:
|
||||
- setup_remote_tmp_dir
|
@ -0,0 +1,33 @@
|
||||
- name: Run task with no mode
|
||||
test_perm_warning:
|
||||
dest: "{{ remote_tmp_dir }}/endangerdisown"
|
||||
register: no_mode_results
|
||||
|
||||
- name: Run task with mode
|
||||
test_perm_warning:
|
||||
mode: '0644'
|
||||
dest: "{{ remote_tmp_dir }}/groveestablish"
|
||||
register: with_mode_results
|
||||
|
||||
- name: Run task without calling set_fs_attributes_if_different()
|
||||
test_perm_warning:
|
||||
call_fs_attributes: no
|
||||
dest: "{{ remote_tmp_dir }}/referabletank"
|
||||
register: skip_fs_attributes
|
||||
|
||||
- stat:
|
||||
path: "{{ remote_tmp_dir }}/{{ item }}"
|
||||
loop:
|
||||
- endangerdisown
|
||||
- groveestablish
|
||||
register: files
|
||||
|
||||
- name: Ensure we get a warning when appropriate
|
||||
assert:
|
||||
that:
|
||||
- no_mode_results.warnings | default([], True) | length == 1
|
||||
- "'created with default permissions' in no_mode_results.warnings[0]"
|
||||
- files.results[0]['stat']['mode'] == '0600'
|
||||
- files.results[1]['stat']['mode'] == '0644'
|
||||
- with_mode_results.warnings is not defined # The Jinja version on CentOS 6 does not support default([], True)
|
||||
- skip_fs_attributes.warnings | default([], True) | length == 1
|
Loading…
Reference in New Issue