From a0e027fe362fbc209dbeff2f72d6e95f39885c69 Mon Sep 17 00:00:00 2001
From: James Cammarata <jimi@sngx.net>
Date: Fri, 18 Apr 2014 11:40:20 -0500
Subject: [PATCH] Make sure umask is set restrictively before creating any
 vault files

---
 lib/ansible/utils/vault.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/ansible/utils/vault.py b/lib/ansible/utils/vault.py
index 62b082a9af4..b92896edc76 100644
--- a/lib/ansible/utils/vault.py
+++ b/lib/ansible/utils/vault.py
@@ -189,6 +189,7 @@ class VaultEditor(object):
             raise errors.AnsibleError("%s exists, please use 'edit' instead" % self.filename)
 
         # drop the user into vim on file
+        old_umask = os.umask(0077)
         EDITOR = os.environ.get('EDITOR','vim')
         call([EDITOR, self.filename])
         tmpdata = self.read_data(self.filename)
@@ -196,6 +197,7 @@ class VaultEditor(object):
         this_vault.cipher_name = self.cipher_name
         enc_data = this_vault.encrypt(tmpdata)
         self.write_data(enc_data, self.filename)
+        os.umask(old_umask)
 
     def decrypt_file(self):
 
@@ -218,6 +220,9 @@ class VaultEditor(object):
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
+        # make sure the umask is set to a sane value
+        old_mask = os.umask(0077)
+
         # decrypt to tmpfile
         tmpdata = self.read_data(self.filename)
         this_vault = VaultLib(self.password)
@@ -243,6 +248,9 @@ class VaultEditor(object):
         # shuffle tmp file into place
         self.shuffle_files(tmp_path, self.filename)
 
+        # and restore the old umask
+        os.umask(old_mask)
+
     def encrypt_file(self):
 
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: