cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

don't create world-readable archives of LXC containers

Browse source 
with the default umask tar will create a world-readable archive of the

container, which may contain sensitive data

Signed-off-by: Evgeni Golov <evgeni@golov.de>
This commit is contained in:
Evgeni Golov 2016-04-04 17:28:22 +02:00 committed by Matt Clay
parent 3b79c1621b
commit 1847f19e41
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
lib/ansible/modules/extras/cloud/lxc/lxc_container.py
View file

@ -1366,6 +1366,8 @@ class LxcContainerManagement(object):
:type source_dir: ``str`` :type source_dir: ``str``
""" """
old_umask = os.umask(0077)
archive_path = self.module.params.get('archive_path') archive_path = self.module.params.get('archive_path')
if not os.path.isdir(archive_path): if not os.path.isdir(archive_path):
os.makedirs(archive_path) os.makedirs(archive_path)
@ -1396,6 +1398,9 @@ class LxcContainerManagement(object):
build_command=build_command, build_command=build_command,
unsafe_shell=True unsafe_shell=True
) )
os.umask(old_umask)
if rc != 0: if rc != 0:
self.failure( self.failure(
err=err, err=err,