8a34b925a4
The tasks in tests/imageprep/_user_accounts.yml that create users did not specify a primary group for those users - this left the decision to Ansible's user module, and/or the underlying OS. In Ansible 9+ (ansible-core 2.16+ the user module defaults to primary group "staff." Earlier don't supply a default, which releases probably results in a primary group nameed "None" (due to stringifying the Python singleton of the same name), or whatever the macOS Directory Services has for no data/NULL. The invalid GID 4294967295 (MAX_UINT32 == 2**32-1) in the sudo error probably enters the mix via something similar to sudo CVE-2019-14287. Fixes #692 See - https://github.com/ansible/ansible/pull/79999 - https://github.com/ansible/ansible/commit/c69c83c962f987c78af98da0746527df - https://www.sudo.ws/security/advisories/minus_1_uid/ > Bruce Wayne : [confused] Am I meant to understand any of that? > Lucius Fox : Not at all, I just wanted you to know how hard it was. > -- Batman Begins |
2 days ago | |
---|---|---|
.. | ||
group_vars | ||
host_vars | ||
README.md | ||
_container_create.yml | ||
_container_finalize.yml | ||
_container_setup.yml | ||
_user_accounts.yml | ||
ansible.cfg | ||
hosts.ini | ||
py24-build.sh | ||
py24.sh | ||
setup.yml | ||
tox.ini |
README.md
image_prep
This directory contains Ansible playbooks for building the Docker containers used for testing, or for setting up an OS X laptop so the tests can (mostly) run locally.
The Docker config is more heavily jinxed to trigger adverse conditions in the code, the OS X config just has the user accounts.
See ../README.md for a (mostly) description of the accounts created.
Building the containers
No single version of Ansible supports every Linux distribution that we target. To workaround this Tox is used, to install and run multiple versions of Ansible, in Python virtualenvs.
tox
Preparing an OS X box
WARNING: this creates a ton of accounts with preconfigured passwords. It is generally impossible to restrict remote access to these, so your only option is to disable remote login and sharing.
ansible-playbook -b -c local -i localhost, -l localhost setup.yml