Make sure umask is set restrictively before creating any vault files

pull/7063/head
James Cammarata 11 years ago
parent 632eb18333
commit 75e0b7a5cf

@ -191,12 +191,14 @@ class VaultEditor(object):
raise errors.AnsibleError("%s exists, please use 'edit' instead" % self.filename) raise errors.AnsibleError("%s exists, please use 'edit' instead" % self.filename)
# drop the user into vim on file # drop the user into vim on file
old_umask = os.umask(0077)
call(self._editor_shell_command(self.filename)) call(self._editor_shell_command(self.filename))
tmpdata = self.read_data(self.filename) tmpdata = self.read_data(self.filename)
this_vault = VaultLib(self.password) this_vault = VaultLib(self.password)
this_vault.cipher_name = self.cipher_name this_vault.cipher_name = self.cipher_name
enc_data = this_vault.encrypt(tmpdata) enc_data = this_vault.encrypt(tmpdata)
self.write_data(enc_data, self.filename) self.write_data(enc_data, self.filename)
os.umask(old_umask)
def decrypt_file(self): def decrypt_file(self):
@ -222,6 +224,9 @@ class VaultEditor(object):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
raise errors.AnsibleError(CRYPTO_UPGRADE) raise errors.AnsibleError(CRYPTO_UPGRADE)
# make sure the umask is set to a sane value
old_mask = os.umask(0077)
# decrypt to tmpfile # decrypt to tmpfile
tmpdata = self.read_data(self.filename) tmpdata = self.read_data(self.filename)
this_vault = VaultLib(self.password) this_vault = VaultLib(self.password)
@ -246,6 +251,9 @@ class VaultEditor(object):
# shuffle tmp file into place # shuffle tmp file into place
self.shuffle_files(tmp_path, self.filename) self.shuffle_files(tmp_path, self.filename)
# and restore the old umask
os.umask(old_mask)
def encrypt_file(self): def encrypt_file(self):
if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:

Loading…
Cancel
Save