Merge pull request #11764 from lpirl/devel_v2

fixes remote code execution for su/sudo with strict remote umasks

lib/ansible/plugins/action/__init__.py

@@ -164,7 +164,7 @@ class ActionBase:
 
         tmp_mode = None
         if self._play_context.remote_user != 'root' or self._play_context.become and self._play_context.become_user != 'root':
-            tmp_mode = 'a+rx'
+            tmp_mode = 0755
 
         cmd = self._connection._shell.mkdtemp(basefile, use_system_tmp, tmp_mode)
         self._display.debug("executing _low_level_execute_command to create the tmp path")

lib/ansible/plugins/shell/sh.py

@@ -65,9 +65,14 @@ class ShellModule(object):
         if system and (basetmp.startswith('$HOME') or basetmp.startswith('~/')):
             basetmp = self.join_path('/tmp', basefile)
         cmd = 'mkdir -p "%s"' % basetmp
-        if mode:
-            cmd += ' && chmod %s "%s"' % (mode, basetmp)
         cmd += ' && echo "%s"' % basetmp
+
+        # change the umask in a subshell to achieve the desired mode
+        # also for directories created with `mkdir -p`
+        if mode:
+            tmp_umask = 0777 & ~mode
+            cmd = '(umask %o && %s)' % (tmp_umask, cmd)
+
         return cmd
 
     def expand_user(self, user_home_path):