archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[stable-2.4] ignore ansible.cfg in world writable cwd (#42070)

Browse Source 
* ignore ansible.cfg in world writable cwd
 * also added 'warnings' to config
 * updated man page template.
(cherry picked from commit b6f2aad600)

Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
pull/42601/head
Brian Coca 8 years ago committed by Toshio Kuratomi
parent 84e7772523
commit f32c42c37a
4 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File

2
CHANGELOG.md
Unescape Escape View File

@ -8,6 +8,8 @@ Ansible Changes By Release
### Bugfixes ### Bugfixes
* **Security Fix** - avoid loading host/group vars from cwd when not specifying * **Security Fix** - avoid loading host/group vars from cwd when not specifying
a playbook or playbook base dir (https://github.com/ansible/ansible/pull/42067) a playbook or playbook base dir (https://github.com/ansible/ansible/pull/42067)
* **Security Fix** - avoid using ansible.cfg in a world readable dir
https://github.com/ansible/ansible/pull/42070
<a id="2.4.5"></a> <a id="2.4.5"></a>

12
docs/templates/man.j2 vendored
Unescape Escape View File

@ -76,17 +76,18 @@ ENVIRONMENT
The following environment variables may be specified. The following environment variables may be specified.
{% if inventory %} {% if inventory %}
ANSIBLE_INVENTORY -- Override the default ansible inventory file ANSIBLE_INVENTORY -- Override the default ansible inventory sources
{% endif %} {% endif %}
{% if library %} {% if library %}
ANSIBLE_LIBRARY -- Override the default ansible module library path ANSIBLE_LIBRARY -- Override the default ansible module library path
{% endif %} {% endif %}
ANSIBLE_CONFIG -- Override the default ansible config file ANSIBLE_CONFIG -- Specify override location for the ansible config file
Many more are available for most options in ansible.cfg Many more are available for most options in ansible.cfg
For a full list check https://docs.ansible.com/. or use the `ansible-config` command.
FILES FILES
----- -----
@ -99,6 +100,9 @@ FILES
~/.ansible.cfg -- User config file, overrides the default config if present ~/.ansible.cfg -- User config file, overrides the default config if present
./ansible.cfg -- Local config file (in current working direcotry) assumed to be 'project specific' and overrides the rest if present.
As mentioned above, the ANSIBLE_CONFIG environment variable will override all others.
AUTHOR AUTHOR
------ ------
@ -110,8 +114,8 @@ See the AUTHORS file for a complete list of contributors.
COPYRIGHT COPYRIGHT
--------- ---------
Copyright © 2017 Red Hat, Inc | Ansible. Copyright © 2018 Red Hat, Inc | Ansible.
Ansible is released under the terms of the GPLv3 License. Ansible is released under the terms of the GPLv3 license.
SEE ALSO SEE ALSO

15
lib/ansible/config/manager.py
Unescape Escape View File

@ -7,6 +7,7 @@ __metaclass__ = type
import os import os
import sys import sys
import stat
import tempfile import tempfile
import yaml import yaml
@ -134,7 +135,7 @@ def get_ini_config_value(p, entry):
return value return value
def find_ini_config_file(): def find_ini_config_file(warnings=None):
''' Load INI Config File order(first found is used): ENV, CWD, HOME, /etc/ansible ''' ''' Load INI Config File order(first found is used): ENV, CWD, HOME, /etc/ansible '''
# FIXME: eventually deprecate ini configs # FIXME: eventually deprecate ini configs
@ -144,7 +145,14 @@ def find_ini_config_file():
if os.path.isdir(path0): if os.path.isdir(path0):
path0 += "/ansible.cfg" path0 += "/ansible.cfg"
try: try:
path1 = os.getcwd() + "/ansible.cfg" path1 = os.getcwd()
perms1 = os.stat(path1)
if perms1.st_mode & stat.S_IWOTH:
if warnings is not None:
warnings.add("Ansible is in a world writable directory (%s), ignoring it as an ansible.cfg source." % to_text(path1))
path1 = None
else:
path1 += "/ansible.cfg"
except OSError: except OSError:
path1 = None path1 = None
path2 = unfrackpath("~/.ansible.cfg", follow=False) path2 = unfrackpath("~/.ansible.cfg", follow=False)
@ -163,6 +171,7 @@ class ConfigManager(object):
UNABLE = [] UNABLE = []
DEPRECATED = [] DEPRECATED = []
WARNINGS = set()
def __init__(self, conf_file=None): def __init__(self, conf_file=None):
@ -184,7 +193,7 @@ class ConfigManager(object):
if self._config_file is None: if self._config_file is None:
# set config using ini # set config using ini
self._config_file = find_ini_config_file() self._config_file = find_ini_config_file(self.WARNINGS)
if self._config_file: if self._config_file:
if os.path.exists(self._config_file): if os.path.exists(self._config_file):

13
lib/ansible/constants.py
Unescape Escape View File

@ -18,6 +18,16 @@ from ansible.module_utils.six import string_types
from ansible.config.manager import ConfigManager, ensure_type, get_ini_config_value from ansible.config.manager import ConfigManager, ensure_type, get_ini_config_value
def _warning(msg):
''' display is not guaranteed here, nor it being the full class, but try anyways, fallback to sys.stderr.write '''
try:
from __main__ import display
display.warning(msg)
except:
import sys
sys.stderr.write(' [WARNING] %s\n' % (msg))
def _deprecated(msg): def _deprecated(msg):
''' display is not guaranteed here, nor it being the full class, but try anyways, fallback to sys.stderr.write ''' ''' display is not guaranteed here, nor it being the full class, but try anyways, fallback to sys.stderr.write '''
try: try:
@ -122,3 +132,6 @@ for setting in config.data.get_settings():
value = ensure_type(value, setting.name) value = ensure_type(value, setting.name)
set_constant(setting.name, value) set_constant(setting.name, value)
for warn in config.WARNINGS:
_warning(warn)

Write Preview
Loading…
Cancel
Save