You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible/test
Sam Doran 7e4cffc5d2
[stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824)
* Change default file permissions so they are not world readable

CVE-2020-1736

Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.

A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.

- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)

Co-authored-by: Sam Doran <sdoran@redhat.com>
4 years ago
..
ansible_test Relocate ansible-test self tests outside package. (#61255) 5 years ago
integration [stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824) 4 years ago
lib/ansible_test [stable-2.10] Fix ansible-test virtualenv management. 4 years ago
sanity Collections docs generation backport (#70515) 4 years ago
support Deprecation revisited (#69926) 5 years ago
units [stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824) 4 years ago
utils/shippable Remove temporary migration hack from CI scripts. 5 years ago