* [stable-2.8] Change default file permissions so they are not world readable (#70221)
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix service test
* Fix lamdba_policy test
* Fix aws_lamdba test
* Fix warning for new default permissions when mode is not specified (#70976)
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry picked from commit dc79528cc6)
* Use new category in changelog fragments
* Remove the params module option from ldap_attr and ldap_entry
Module options that circumvent Ansible's option handling were disallowed
in:
https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html
Additionally, this particular usage can be insecure if bind_pw is set
this way as the password could end up in a logfile or displayed on
stdout.
Fixes CVE-2020-1746
(cherry picked from commit 0ff609f1bc)
* Fix formatting for option names
Co-Authored-By: Felix Fontein <felix@fontein.de>
* Fix fail_json
* update sanity
* fix indentation error
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update default roles_path documentation (#56320)
(cherry picked from commit c1ebc8d9c2)
* docs: Update scopes value example (#56362): example in GCE guide needs "https://" prefix
(cherry picked from commit 85fa65e5f0)
* [doc] fix example: always trigger the handler (#56384): by default, debug task result isn't changed - add 'changed_when: yes' to trigger handler
(cherry picked from commit b3ab83bc70)
* Update of Ansible 2.8 roadmap (#56436): Remove **if needed** for RC2 & RC3, correct date for RC3
(cherry picked from commit d55823b013)
* add how to create HttpApi plugins for network modules (#54340): in a developer guide for networks
(cherry picked from commit cca365061c)
* [Doc-Release-2.8] fixed broken module links in 2.8 porting guide (#56494)
(cherry picked from commit 635931051b)
* Update windows_setup.rst (#55535): Wrong protocol and port in command.
(cherry picked from commit 6ea3eca8ff)
* Clarify the two targets of vault encryption, with notes about advantages and drawbacks of each
Co-Authored-By: tacatac <taca@kadisius.eu>
(cherry picked from commit 79198cad7a)
* Improve consistency of loop documentation (#55674)
(cherry picked from commit a5cb47d697)
* Add Microsoft Document URL for WinRM Memory Hotfix (#55680)
Co-Authored-By: hiyokotaisa <thel.vadam2485@gmail.com>
(cherry picked from commit 7b86208fcd)
* Clarify the documentation for `async` and `poll`; describe the behavior when `poll` = 0 and when it does not.
Co-Authored-By: tacatac <taca@kadisius.eu>
(cherry picked from commit dbc64ae64c)
* Add security group info and example to AWS guide (#55783): expand documentation on how to use lookup plugin aws_service_ip_ranges with ec2_group module
(cherry picked from commit bb5059f2c7)
* correct description of modules vs plugins (#55784)
(cherry picked from commit 9d5b5d7ddd)
* Fix var naming (#55795): Make vars match tasks in Google Compute guide.
(cherry picked from commit 943f7334c5)
* Clarifies how Ansible processes multiple `failed_when` conditions (#55941): multiple failed_when conditions join with AND not OR to counter third-party pages online incorrectly stating that it uses `OR`. ([example](https://groups.google.com/d/msg/ansible-project/cIaQTmY3ZLE/c5w8rlmdHWIJ)).
(cherry picked from commit 5439eb8bd8)
* Docs: edits & expands module_utils & search path info in dev guide (#55931)
(cherry picked from commit 8542459b95)
* Add faq note about ssh ServerAliveInterval (#55568)
(cherry picked from commit 76dba7aa4f)
* docsite: correct path, list requirements for testing module docs, etc. (#52008)
* dev_guide: correct path, list requirements, etc.; module HTML docs are in '_build/html/module' subdir
(cherry picked from commit b14f477bee)
* Developer documentation update involving module invocation (#55747)
* Update docs for the 2.7 change to AnsiballZ which invokes modules with one
less Python interpreter
* Add a section on how module results are returned and on trust between modules, action plugins, and the executor.
* Update docs/docsite/rst/dev_guide/developing_program_flow_modules.rst
Co-Authored-By: abadger <a.badger@gmail.com>
(cherry picked from commit edafa71f42)
* add doc example of multiline failed_when with OR (#56007)
* add variety to multiple OR failed_when doc example
(cherry picked from commit 7d5ada7161)
* Note that by default the regex test is identical to match, but can do much more (#50205)
* Note that the regex test behaves like 'match', with default settings
(cherry picked from commit 86e98c5213)
* more info on how vaults work (#56183)
also add warning about what it covers.
(cherry picked from commit 8ff27c4e0c)
* Fix var naming in GCE guide
(cherry picked from commit dae5564e2b)
* dev_guide: Various small updates (#53273)
* Document the clarifications that I usually remark when doing reviews
* Update docs/docsite/rst/dev_guide/developing_modules_documenting.rst
Co-Authored-By: dagwieers <dag@wieers.com>
(cherry picked from commit eac7f1fb58)
* Lack of "--update" flag in older Ubuntu distros (#56283): when installing on older Ubuntu distributions be aware of the lack of ``-u`` or ``--update`` flag.
(cherry picked from commit dd0b0ae47b)
* should have gone into 52373 (#56306)
(cherry picked from commit 3c8d8b1509)
* Added idempotency logic to openssl_pkcs12
Also decoupled the 'parse' and 'generate' function from the file write
as they are now used in different places that do not need the file to be
written to disk.
* Added idempotency tests for openssl_pkcs12
Also adds a new test for pkcs12 files with multiple certificates
* Regenerate if parsed file is invalid
* pkcs12_other_certificates check was wrong
* Updated ca_certificates to other_certificates
ca_certificates is left as an alias to other_certificates;
friendlyname depends on private key, so it will be ignored while
checking for idempotency if the pkey is not set;
idempotency check only checks for correct certs in the stack
* use different keys for different certs
* Added other_certificates in module docs
* Added changelog and porting guide
* removed unrelated porting guide entry
* renamed ca_cert* occurrence with other_cert
This reverts commit 85d836171b.
As discussed in WWG IRC meeting, we don't want Get-ADObject to be a dependency of win_domain_membership, and we need to be able to authenticate to the DC in some configs. We can revisit this change a different way for 2.9.
* Remove default use of paramiko connection plugin on macOS
This fix was originally to work around a bug that caused a kernel panic on macOS
that has since been fixed.
* Remove paramiko from requirements.txt
* Move paramiko checking to common place
* Drop the warnings obfiscation code
* Update pip installation instructions to reflect upstream instructions
* Fix tests on CentOS 6 (Python 2.6) that now show Python deprecation warnings
* Add changelog fragment
* win_nssm: rename cmdlets to use approved verbs, rename service name parameters
* win_nssm: improve code style and cmdlets ordering
* win_nssm: always escape all command line parameters with Argv-ToString
fix error when the service name contains quotes
* win_nssm: use Fail-Json instead of exceptions and remove global try/catch
* win_nssm: small refactoring, inline some functions
* win_nssm: refactoring - add a generic cmdlet to idempotently set any nssm service parameter
* win_nssm: refactoring - inline some functions
To make the code more malleable for future changes
* win_nssm: change application, stdout_file and stderr_file options type to path
* win_nssm: deprecates app_parameters, rename app_parameters_free_form to arguments, and add support for list of parameters
* win_nssm: add support of check mode
* win_nssm: add working_directory option
* win_nssm: add display_name and description options
* win_nssm: minor changes
* win_nssm: remove some sanity exclusions
* win_nssm: avoid using aliases and minor style fixes
* win_nssm: doc and ui improvements
* win_nssm: remove sanity exclusions
* win_nssm: minor revision
* win_nssm: deprecates dependencies, start_mode, user and password parameters and some choices of state in favor of win_service
* win_nssm: fix style
* win_nssm: add executable option to specify the location of the NSSM utility
* win_nssm: add missing parameter types
* win_nssm: add diff mode support
* win_nssm: avoid displaying depreciation warning if default value is assigned
* win_nssm: fix variable scope
* win_nssm: use the explicit -LiteralPath parameter name instead of -Path
* win_nssm: fix documentation
* win_nssm: add porting guide entries
* win_nssm: add changelog fragment
* Add a force_replace_host flag to win_domain_membership
Satisfies https://github.com/ansible/ansible/issues/53539
* Rework backticks
* Bump version_added
* Check for existence of current hostname as well; use LDAPFilter during search
* Rename $force_replace_host to $allow_existing_computer_account
* Added docs, porting guide and minor nit in code
When using before and after in combination, the opposite behavior was induced. This PR makes the the replacement happen between the specified patterns as intended.
* Added integration tests
* Add changelog, porting guide entry, and minor doc fixes
* Replace InventoryFileCacheModule with a better developer-interface
Use new interface for inventory plugins with backwards compatibility
Auto-update the backing cache-plugin if the cache has changed after parsing the inventory plugin
* Update CacheModules to use the config system and add a deprecation warning if they are being imported directly rather than using cache_loader
* Fix foreman inventory caching
* Add tests
* Add integration test to check that fact caching works normally with cache plugins using ansible.constants and inventory caching provides a helpful error for non-compatible cache plugins
* Add some developer documentation for inventory and cache plugins
* Add user documentation for inventory caching
* Add deprecation docs
* Apply suggestions from docs review
* Add changelog
* Change the retry_files_enabled to False and modify the comments to reflect that
this has been disabled.
* Change the default action of retry_files_enabled to False
* Update porting guide to reflect change in default state of retry_files_enabled variable
* Change log documenting a change in default behaviour of retry_files_enabled
* Revert config change to comment out the retry_files_enabled line to let the user decided what is best.
Comment above still states how to change.
* Python interpreter discovery
* No longer blindly default to only `/usr/bin/python`
* `ansible_python_interpreter` defaults to `auto_legacy`, which will discover the platform Python interpreter on some platforms (but still favor `/usr/bin/python` if present for backward compatibility). Use `auto` to always use the discovered interpreter, append `_silent` to either value to suppress warnings.
* includes new doc utility method `get_versioned_doclink` to generate a major.minor versioned doclink against docs.ansible.com (or some other config-overridden URL)
* docs revisions for python interpreter discovery
(cherry picked from commit 5b53c0012ab7212304c28fdd24cb33fd8ff755c2)
* verify output on some distros, cleanup
* Add new module property to Windows modules
* Add brief pause to file tests to ensure the stat times are not equal, which was happening sometimes.
* Raise TypeError on error rather than fail_json()
* Rework error message to be less verbose
* Add porting guide entry
* Facts parsing for cmdline can now handle multiple values for a single key.
* Unit tests for cmdline fact parsing
* Review comments
Fixes: #22766
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* standardize user/password connection vars
* docs: use ansible_user and ansible_password
* docs: var precedence for connection vars
* docs: ansible_become_pass -> ansible_become_password etc
* Add a porting guide entry for ansible_distribution facts
Switching away from platform.distro() will cause changes sometimes due
to the new code using new sources of information that may be out of sync
with the old ones. Just have to make people aware of that and also what
we are doing to mitigate it when appropriate.
* wordsmithed, added links for new distro backend
Sandra McCann