* Revert "Change default file permissions so they are not world readable (#70221)"
This reverts commit 5260527c4a.
* Revert "Fix warning for new default permissions when mode is not specified (#70976)"
This reverts commit dc79528cc6.
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions
* Use locking for concurrent file access
This implements locking to be used for modules that are used for
concurrent file access, like lineinfile or known_hosts.
* Reinstate lock_timeout
This commit includes:
- New file locking infrastructure for modules
- Enable timeout tests
- Madifications to support concurrency with lineinfile
* Rebase, update changelog and tests
We need to specify ansible_python_interpreter to avoid running interpreter discovery and selecting the incorrect interpreter.
Remove the import of lock in known_hosts since it is not used.
* actually check we can run scm command for roles
* a better error message than file not found
* more narrow exception hanlding
* refactor common functions for more extended use and further 'basic.py' separation
Matt Clay