From d4ff0d125a0ebccbb0cdd23e5a3bd7d82644522f Mon Sep 17 00:00:00 2001
From: James Cammarata <jimi@sngx.net>
Date: Tue, 19 Aug 2014 11:30:04 -0500
Subject: [PATCH] Make sure password files from lookups are created with
 restrictive permissions

Also adds checks for the lookup integration test for passwords.

Fixes #8652
---
 lib/ansible/runner/lookup_plugins/password.py |  8 ++++-
 .../roles/test_lookups/tasks/main.yml         | 29 ++++++++++++++++---
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/lib/ansible/runner/lookup_plugins/password.py b/lib/ansible/runner/lookup_plugins/password.py
index b1a648a0571..a066887e2c2 100644
--- a/lib/ansible/runner/lookup_plugins/password.py
+++ b/lib/ansible/runner/lookup_plugins/password.py
@@ -80,7 +80,10 @@ class LookupModule(object):
             if not os.path.exists(path):
                 pathdir = os.path.dirname(path)
                 if not os.path.isdir(pathdir):
-                    os.makedirs(pathdir)
+                    try:
+                        os.makedirs(pathdir, mode=0700)
+                    except OSError, e:
+                        raise errors.AnsibleError("cannot create the path for the password lookup: %s (error was %s)" % (pathdir, str(e)))
 
                 chars = "".join([getattr(string,c,c) for c in use_chars]).replace('"','').replace("'",'')
                 password = ''.join(random.choice(chars) for _ in range(length))
@@ -91,6 +94,7 @@ class LookupModule(object):
                 else:
                     content = password
                 with open(path, 'w') as f:
+                    os.chmod(path, 0600)
                     f.write(content + '\n')
             else:
                 content = open(path).read().rstrip()
@@ -108,10 +112,12 @@ class LookupModule(object):
                     salt = self.random_salt()
                     content = '%s salt=%s' % (password, salt)
                     with open(path, 'w') as f:
+                        os.chmod(path, 0600)
                         f.write(content + '\n')
                 # crypt not requested, remove salt if present
                 elif (encrypt is None and salt):
                     with open(path, 'w') as f:
+                        os.chmod(path, 0600)
                         f.write(password + '\n')
 
             if encrypt:
diff --git a/test/integration/roles/test_lookups/tasks/main.yml b/test/integration/roles/test_lookups/tasks/main.yml
index 04b533d72c2..6480b18b357 100644
--- a/test/integration/roles/test_lookups/tasks/main.yml
+++ b/test/integration/roles/test_lookups/tasks/main.yml
@@ -36,20 +36,41 @@
 # PASSWORD LOOKUP
 
 - name: remove previous password files
-  file: dest={{output_dir}}/password state=absent
+  file: dest={{output_dir}}/lookup/password state=absent
+  with_items:
+  - "{{output_dir}}/lookup/password"
+  - "{{output_dir}}/lookup"
 
 - name: create a password file
   set_fact: 
-    newpass: "{{ lookup('password', output_dir + '/password length=8') }}"
+    newpass: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
+
+- name: stat the password file directory
+  stat: path="{{output_dir}}/lookup"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0700'
+
+- name: stat the password file
+  stat: path="{{output_dir}}/lookup/password"
+  register: result
+
+- name: assert the directory's permissions
+  assert:
+    that:
+    - result.stat.mode == '0600'
 
 - name: get password length
-  shell: wc -c {{output_dir}}/password | awk '{print $1}'
+  shell: wc -c {{output_dir}}/lookup/password | awk '{print $1}'
   register: wc_result
 
 - debug: var=wc_result.stdout
 
 - name: read password
-  shell: cat {{output_dir}}/password
+  shell: cat {{output_dir}}/lookup/password
   register: cat_result
 
 - debug: var=cat_result.stdout