Make sure password files from lookups are created with restrictive permissions

Also adds checks for the lookup integration test for passwords. Fixes #8652
10 years ago · d4ff0d125a
parent 3a7aca6066
commit d4ff0d125a
2 changed files with 32 additions and 5 deletions
--- a/lib/ansible/runner/lookup_plugins/password.py
+++ b/lib/ansible/runner/lookup_plugins/password.py
@ -80,7 +80,10 @@ class LookupModule(object):
            if not os.path.exists(path):
                pathdir = os.path.dirname(path)
                if not os.path.isdir(pathdir):
-                    os.makedirs(pathdir)
+                    try:
+                        os.makedirs(pathdir, mode=0700)
+                    except OSError, e:
+                        raise errors.AnsibleError("cannot create the path for the password lookup: %s (error was %s)" % (pathdir, str(e)))

                chars = "".join([getattr(string,c,c) for c in use_chars]).replace('"','').replace("'",'')
                password = ''.join(random.choice(chars) for _ in range(length))
@ -91,6 +94,7 @@ class LookupModule(object):
                else:
                    content = password
                with open(path, 'w') as f:
+                    os.chmod(path, 0600)
                    f.write(content + '\n')
            else:
                content = open(path).read().rstrip()
@ -108,10 +112,12 @@ class LookupModule(object):
                    salt = self.random_salt()
                    content = '%s salt=%s' % (password, salt)
                    with open(path, 'w') as f:
+                        os.chmod(path, 0600)
                        f.write(content + '\n')
                # crypt not requested, remove salt if present
                elif (encrypt is None and salt):
                    with open(path, 'w') as f:
+                        os.chmod(path, 0600)
                        f.write(password + '\n')

            if encrypt:
--- a/test/integration/roles/test_lookups/tasks/main.yml
+++ b/test/integration/roles/test_lookups/tasks/main.yml
@ -36,20 +36,41 @@
 # PASSWORD LOOKUP

 - name: remove previous password files
-  file: dest={{output_dir}}/password state=absent
+  file: dest={{output_dir}}/lookup/password state=absent
+  with_items:
+  - "{{output_dir}}/lookup/password"
+  - "{{output_dir}}/lookup"

 - name: create a password file
  set_fact: 
-    newpass: "{{ lookup('password', output_dir + '/password length=8') }}"
+    newpass: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
+
+- name: stat the password file directory
+  stat: path="{{output_dir}}/lookup"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0700'
+
+- name: stat the password file
+  stat: path="{{output_dir}}/lookup/password"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0600'

 - name: get password length
-  shell: wc -c {{output_dir}}/password | awk '{print $1}'
+  shell: wc -c {{output_dir}}/lookup/password | awk '{print $1}'
  register: wc_result

 - debug: var=wc_result.stdout

 - name: read password
-  shell: cat {{output_dir}}/password
+  shell: cat {{output_dir}}/lookup/password
  register: cat_result

 - debug: var=cat_result.stdout