* [stable-2.8] Change default file permissions so they are not world readable (#70221)
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix service test
* Fix lamdba_policy test
* Fix aws_lamdba test
* Fix warning for new default permissions when mode is not specified (#70976)
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry picked from commit dc79528cc6)
* Use new category in changelog fragments
With collections migration, inventory scripts are moved from devel (2.10).
Point docs for inventory script to their respective version.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Remove the params module option from ldap_attr and ldap_entry
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.
Fixes CVE-2020-1746
(cherry picked from commit 0ff609f1bc)
* Fix formatting for option names
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Fix fail_json
* update sanity
* fix indentation error
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* docs: update version-checker to latest 3 versions (#64109)
(cherry picked from commit 409545825f)
* [Doc-Release-2.9] update release and maintenance page for 2.9 (#64166)
* update release and maintenance page for 2.9
* only 2.4 and earlier used the old changelog system
(cherry picked from commit 3f808d9ed6)
* cherrypick #58832
* fix width (#61619)
(cherry picked from commit 1d40d2b572)
* Minify theme (#61734)
* moved most ansible edits out of theme.css
* remove unnecessary edit to theme.css
* replace with upstream minified theme.css for 0.4.3
(cherry picked from commit de826b437d)
* Minify ansible (#61792)
* make all comments special to survive minify
* minified css
(cherry picked from commit 7efaad711e)
Add information and examples on how to use additional properties from a doc fragment
Add info about layering properties
(cherry picked from commit 9b348e690c)
(cherry picked from commit 5deb01c84d)
(cherry picked from commit 041c52d629)
The docs now have multi-level breadcrumbs so including "Sanity Tests »" in the title on a sanity test page is redundant.
(cherry picked from commit b4494fa547)
* Fix notifying handlers by using an exact match rather than a string subset if listen is text rather than a list
* Enforce better type checking for listeners
* Share code for validating handler listeners
* Add test for handlers without names
* Add test for templating in handlers
* Add test for include_role
* Add a couple notes about 'listen' for handlers
* changelog
(cherry picked from commit ec1287ca7e)
* Remove lexers which have been fixed in Pygments 2.4.0.
* Add Pygments >= 2.4.0 to test runner.
* Fix pages that triggered lexer errors.
Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
(cherry picked from commit 505c99265c)
Changes example to `when: inventory_hostname == ansible_play_hosts_all[0]` to really run run_once regardless of serial.
(cherry picked from commit dea9644d21)
* Clarify that GPLv3+ module_utils need core team approval.
* Update docs/docsite/rst/dev_guide/shared_snippets/licensing.txt
Co-Authored-By: Sam Doran <sdoran@redhat.com>
* More 'module_util' -> 'file in module_utils'.
(cherry picked from commit 53ec9c8019)
Link to ansible-bender instead of the deprecated ansible-container.
Co-Authored-By: Felix Fontein <felix@fontein.de>
(cherry picked from commit 66bfa27685)
Alicia Cozine