mirror of https://github.com/ansible/ansible.git
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7e4cffc5d2
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit
|
4 years ago | |
---|---|---|
.. | ||
__init__.py | 9 years ago | |
test__log_invocation.py | 7 years ago | |
test__symbolic_mode_to_octal.py | 4 years ago | |
test_argument_spec.py | 4 years ago | |
test_atomic_move.py | 4 years ago | |
test_deprecate_warn.py | 4 years ago | |
test_dict_converters.py | 7 years ago | |
test_exit_json.py | 4 years ago | |
test_filesystem.py | 6 years ago | |
test_get_file_attributes.py | 4 years ago | |
test_get_module_path.py | 6 years ago | |
test_heuristic_log_sanitize.py | 4 years ago | |
test_imports.py | 5 years ago | |
test_log.py | 6 years ago | |
test_no_log.py | 4 years ago | |
test_platform_distribution.py | 5 years ago | |
test_run_command.py | 4 years ago | |
test_safe_eval.py | 4 years ago | |
test_sanitize_keys.py | 4 years ago | |
test_selinux.py | 6 years ago | |
test_set_mode_if_different.py | 5 years ago | |
test_tmpdir.py | 4 years ago |