Commit Graph

6 Commits (370ad5c7c6a6294b3ade1d1447cca2e36a4831de)

Author SHA1 Message Date
Sam Doran ea8c219402
[stable-2.9] Revert "Change default file permissions so they are not world readable (#70221) (#70825)" (#71232)
This reverts commit 0199b1cf05.
4 years ago
Sam Doran 0199b1cf05
[stable-2.9] Change default file permissions so they are not world readable (#70221) (#70825)
* [stable-2.9] Change default file permissions so they are not world readable (#70221)

* Change default file permissions so they are not world readable

CVE-2020-1736

Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.

A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.

- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)

Co-authored-by: Sam Doran <sdoran@redhat.com>

* Fix jboss test

* Fix lamdba_policy test

* Fix aws_lamdba test

* Fix warning for new default permissions when mode is not specified (#70976)

Follow up to #70221
Related to #67794
CVE-2020-1736

When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.

Add integration tests to ensure the warning works properly.

* Fix tests
- actually use custom module 🤦‍♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6

(cherry-picked from commit dc79528cc6)

* Use new category in changelog fragments
4 years ago
Felix Fontein 51229eb99c
AWS modules: _facts -> _info (#57613)
* Rename aws_acm_facts -> aws_acm_info.

* Rename aws_az_facts -> aws_az_info.

* Rename aws_caller_facts -> aws_caller_info.

* Rename aws_kms_facts -> aws_kms_info.

* Rename aws_region_facts -> aws_region_info.

* Rename aws_sgw_facts -> aws_sgw_info.

* Rename aws_waf_facts -> aws_waf_info.

* Adjust docs.

* Add changelog and update porting guide.
6 years ago
Will Thames 0b4f92d852 Lambda policy arn (#38863)
* Fix the function_name handling logic for lambda_policy

Switch the logic handling function_names that are ARNs
so that ARNs are correctly handled and detected

* Add tests for lambda_policy function_arn

Ensure that function_arn works.

Needs a reasonable ansible_lambda_role.
7 years ago
Matt Martz 4fe08441be Deprecate tests used as filters (#32361)
* Warn on tests used as filters

* Update docs, add aliases for tests that fit more gramatically with test syntax

* Fix rst formatting

* Add successful filter, alias of success

* Remove renamed_deprecation, it was overkill

* Make directory alias for is_dir

* Update tests to use proper jinja test syntax

* Update additional documentation, living outside of YAML files, to reflect proper jinja test syntax

* Add conversion script, porting guide updates, and changelog updates

* Update newly added uses of tests as filters

* No underscore variable

* Convert recent tests as filter changes to win_stat

* Fix some changes related to rebasing a few integration tests

* Make tests_as_filters_warning explicitly accept the name of the test, instead of inferring the name

* Add test for tests_as_filters_warning

* Update tests as filters in newly added/modified tests

* Address recent changes to several integration tests

* Address recent changes in cs_vpc
7 years ago
Matt Clay 783da545b2 Rename AWS test targets to match modules:
- ec2_facts -> ec2_metadata_facts
- ec2_elb_lb -> elb_classic_lb
- aws_lambda_policy -> lambda_policy
7 years ago