From 1de45bf687e83aadeda0b730b0ad0c7cd095fc97 Mon Sep 17 00:00:00 2001 From: xyrix Date: Thu, 6 Feb 2014 08:53:43 +0000 Subject: [PATCH 1/3] made accelerate keys directory configurable, and permissions for the file and dir configurable, and gave them a safe default --- lib/ansible/constants.py | 3 +++ lib/ansible/utils/__init__.py | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/ansible/constants.py b/lib/ansible/constants.py index 496345c29b7..c055ccf3d0c 100644 --- a/lib/ansible/constants.py +++ b/lib/ansible/constants.py @@ -157,6 +157,9 @@ ZEROMQ_PORT = get_config(p, 'fireball_connection', 'zeromq_po ACCELERATE_PORT = get_config(p, 'accelerate', 'accelerate_port', 'ACCELERATE_PORT', 5099, integer=True) ACCELERATE_TIMEOUT = get_config(p, 'accelerate', 'accelerate_timeout', 'ACCELERATE_TIMEOUT', 30, integer=True) ACCELERATE_CONNECT_TIMEOUT = get_config(p, 'accelerate', 'accelerate_connect_timeout', 'ACCELERATE_CONNECT_TIMEOUT', 1.0, floating=True) +ACCELERATE_KEYS_DIR = get_config(p, 'accelerate', 'accelerate_keys_dir', 'ACCELERATE_KEYS_DIR', '~/.fireball.keys') +ACCELERATE_KEYS_DIR_PERMS = get_config(p, 'accelerate', 'accelerate_keys_dir_perms', 'ACCELERATE_KEYS_DIR_PERMS', '700') +ACCELERATE_KEYS_FILE_PERMS = get_config(p, 'accelerate', 'accelerate_keys_file_perms', 'ACCELERATE_KEYS_FILE_PERMS', '600') PARAMIKO_PTY = get_config(p, 'paramiko_connection', 'pty', 'ANSIBLE_PARAMIKO_PTY', True, boolean=True) # characters included in auto-generated passwords diff --git a/lib/ansible/utils/__init__.py b/lib/ansible/utils/__init__.py index 1a065ccd39b..c61f727de81 100644 --- a/lib/ansible/utils/__init__.py +++ b/lib/ansible/utils/__init__.py @@ -87,15 +87,19 @@ def key_for_hostname(hostname): if not KEYCZAR_AVAILABLE: raise errors.AnsibleError("python-keyczar must be installed on the control machine to use accelerated modes") - key_path = os.path.expanduser("~/.fireball.keys") + key_path = os.path.expanduser(C.ACCELERATE_KEYS_DIR) if not os.path.exists(key_path): os.makedirs(key_path) - key_path = os.path.expanduser("~/.fireball.keys/%s" % hostname) + elif not os.path.isdir(key_path): + raise errors.AnsibleError('ACCELERATE_KEYS_DIR is not a directory.') + os.chmod(key_path, int(C.ACCELERATE_KEYS_DIR_PERMS, 8)) + key_path = os.path.join(key_path, hostname) # use new AES keys every 2 hours, which means fireball must not allow running for longer either if not os.path.exists(key_path) or (time.time() - os.path.getmtime(key_path) > 60*60*2): key = AesKey.Generate() - fh = open(key_path, "w") + fd = os.open(key_path, os.O_WRONLY | os.O_CREAT, int(C.ACCELERATE_KEYS_FILE_PERMS, 8)) + fh = os.fdopen(fd, 'w') fh.write(str(key)) fh.close() return key From 0af40374ed92d52b08caa39d1c2791788959df94 Mon Sep 17 00:00:00 2001 From: xyrix Date: Thu, 6 Feb 2014 12:48:34 +0000 Subject: [PATCH 2/3] fixed file perms checking --- lib/ansible/utils/__init__.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/ansible/utils/__init__.py b/lib/ansible/utils/__init__.py index c61f727de81..d4a54dd8956 100644 --- a/lib/ansible/utils/__init__.py +++ b/lib/ansible/utils/__init__.py @@ -90,9 +90,13 @@ def key_for_hostname(hostname): key_path = os.path.expanduser(C.ACCELERATE_KEYS_DIR) if not os.path.exists(key_path): os.makedirs(key_path) + os.chmod(key_path, int(C.ACCELERATE_KEYS_DIR_PERMS, 8)) elif not os.path.isdir(key_path): raise errors.AnsibleError('ACCELERATE_KEYS_DIR is not a directory.') - os.chmod(key_path, int(C.ACCELERATE_KEYS_DIR_PERMS, 8)) + + if stat.S_IMODE(os.stat(key_path).st_mode) != C.ACCELERATE_KEYS_DIR_PERMS: + raise errors.AnsibleError('Incorrect permissions on ACCELERATE_KEYS_DIR (%s)' % (C.ACCELERATE_KEYS_DIR,)) + key_path = os.path.join(key_path, hostname) # use new AES keys every 2 hours, which means fireball must not allow running for longer either @@ -104,6 +108,8 @@ def key_for_hostname(hostname): fh.close() return key else: + if stat.S_IMODE(os.stat(key_path).st_mode) != C.ACCELERATE_KEYS_FILE_PERMS: + raise errors.AnsibleError('Incorrect permissions on ACCELERATE_KEYS_FILE (%s)' % (key_path,)) fh = open(key_path) key = AesKey.Read(fh.read()) fh.close() From 20d97416e51368c88cbc4674e10e2a15b10357a7 Mon Sep 17 00:00:00 2001 From: xyrix Date: Thu, 6 Feb 2014 13:02:11 +0000 Subject: [PATCH 3/3] fixed thinkoes --- lib/ansible/utils/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ansible/utils/__init__.py b/lib/ansible/utils/__init__.py index d4a54dd8956..b38afb2fd4a 100644 --- a/lib/ansible/utils/__init__.py +++ b/lib/ansible/utils/__init__.py @@ -94,7 +94,7 @@ def key_for_hostname(hostname): elif not os.path.isdir(key_path): raise errors.AnsibleError('ACCELERATE_KEYS_DIR is not a directory.') - if stat.S_IMODE(os.stat(key_path).st_mode) != C.ACCELERATE_KEYS_DIR_PERMS: + if stat.S_IMODE(os.stat(key_path).st_mode) != int(C.ACCELERATE_KEYS_DIR_PERMS, 8): raise errors.AnsibleError('Incorrect permissions on ACCELERATE_KEYS_DIR (%s)' % (C.ACCELERATE_KEYS_DIR,)) key_path = os.path.join(key_path, hostname) @@ -108,7 +108,7 @@ def key_for_hostname(hostname): fh.close() return key else: - if stat.S_IMODE(os.stat(key_path).st_mode) != C.ACCELERATE_KEYS_FILE_PERMS: + if stat.S_IMODE(os.stat(key_path).st_mode) != int(C.ACCELERATE_KEYS_FILE_PERMS, 8): raise errors.AnsibleError('Incorrect permissions on ACCELERATE_KEYS_FILE (%s)' % (key_path,)) fh = open(key_path) key = AesKey.Read(fh.read())