[stable-2.4] ignore ansible.cfg in world writable cwd (#42070)

* ignore ansible.cfg in world writable cwd * also added 'warnings' to config * updated man page template. (cherry picked from commit b6f2aad600) Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
8 years ago · f32c42c37a
parent 84e7772523
commit f32c42c37a
4 changed files with 35 additions and 7 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,8 @@ Ansible Changes By Release
 ### Bugfixes
 * **Security Fix** - avoid loading host/group vars from cwd when not specifying
  a playbook or playbook base dir (https://github.com/ansible/ansible/pull/42067)
+* **Security Fix** - avoid using ansible.cfg in a world readable dir
+  https://github.com/ansible/ansible/pull/42070


 <a id="2.4.5"></a>
--- a/docs/templates/man.j2
+++ b/docs/templates/man.j2
@ -76,17 +76,18 @@ ENVIRONMENT
 The following environment variables may be specified.

 {% if inventory %}
-ANSIBLE_INVENTORY  -- Override the default ansible inventory file
+ANSIBLE_INVENTORY  -- Override the default ansible inventory sources

 {% endif %}
 {% if library %}
 ANSIBLE_LIBRARY -- Override the default ansible module library path

 {% endif %}
-ANSIBLE_CONFIG -- Override the default ansible config file
+ANSIBLE_CONFIG -- Specify override location for the ansible config file

 Many more are available for most options in ansible.cfg

+For a full list check https://docs.ansible.com/. or use the `ansible-config` command.

 FILES
 -----
@ -99,6 +100,9 @@ FILES

 ~/.ansible.cfg -- User config file, overrides the default config if present

+./ansible.cfg -- Local config file (in current working direcotry) assumed to be 'project specific' and overrides the rest if present.
+
+As mentioned above, the ANSIBLE_CONFIG environment variable will override all others.

 AUTHOR
 ------
@ -110,8 +114,8 @@ See the AUTHORS file for a complete list of contributors.
 COPYRIGHT
 ---------

-Copyright © 2017 Red Hat, Inc | Ansible.
-Ansible is released under the terms of the GPLv3 License.
+Copyright © 2018 Red Hat, Inc | Ansible.
+Ansible is released under the terms of the GPLv3 license.


 SEE ALSO
--- a/lib/ansible/config/manager.py
+++ b/lib/ansible/config/manager.py
@ -7,6 +7,7 @@ __metaclass__ = type

 import os
 import sys
+import stat
 import tempfile
 import yaml

@ -134,7 +135,7 @@ def get_ini_config_value(p, entry):
    return value


-def find_ini_config_file():
+def find_ini_config_file(warnings=None):
    ''' Load INI Config File order(first found is used): ENV, CWD, HOME, /etc/ansible '''
    # FIXME: eventually deprecate ini configs

@ -144,7 +145,14 @@ def find_ini_config_file():
        if os.path.isdir(path0):
            path0 += "/ansible.cfg"
    try:
-        path1 = os.getcwd() + "/ansible.cfg"
+        path1 = os.getcwd()
+        perms1 = os.stat(path1)
+        if perms1.st_mode & stat.S_IWOTH:
+            if warnings is not None:
+                warnings.add("Ansible is in a world writable directory (%s), ignoring it as an ansible.cfg source." % to_text(path1))
+            path1 = None
+        else:
+            path1 += "/ansible.cfg"
    except OSError:
        path1 = None
    path2 = unfrackpath("~/.ansible.cfg", follow=False)
@ -163,6 +171,7 @@ class ConfigManager(object):

    UNABLE = []
    DEPRECATED = []
+    WARNINGS = set()

    def __init__(self, conf_file=None):

@ -184,7 +193,7 @@ class ConfigManager(object):

        if self._config_file is None:
            # set config using ini
-            self._config_file = find_ini_config_file()
+            self._config_file = find_ini_config_file(self.WARNINGS)

        if self._config_file:
            if os.path.exists(self._config_file):
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@ -18,6 +18,16 @@ from ansible.module_utils.six import string_types
 from ansible.config.manager import ConfigManager, ensure_type, get_ini_config_value


+def _warning(msg):
+    ''' display is not guaranteed here, nor it being the full class, but try anyways, fallback to sys.stderr.write '''
+    try:
+        from __main__ import display
+        display.warning(msg)
+    except:
+        import sys
+        sys.stderr.write(' [WARNING] %s\n' % (msg))
+
+
 def _deprecated(msg):
    ''' display is not guaranteed here, nor it being the full class, but try anyways, fallback to sys.stderr.write '''
    try:
@ -122,3 +132,6 @@ for setting in config.data.get_settings():
        value = ensure_type(value, setting.name)

    set_constant(setting.name, value)
+
+for warn in config.WARNINGS:
+    _warning(warn)