cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Make sure password files from lookups are created with restrictive permissions

Browse source 
Also adds checks for the lookup integration test for passwords.

Fixes #8652
This commit is contained in:
James Cammarata 2014-08-19 11:30:04 -05:00
parent 3a7aca6066
commit d4ff0d125a
2 changed files with 32 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/ansible/runner/lookup_plugins/password.py
View file

@ -80,7 +80,10 @@ class LookupModule(object):
if not os.path.exists(path): if not os.path.exists(path):
pathdir = os.path.dirname(path) pathdir = os.path.dirname(path)
if not os.path.isdir(pathdir): if not os.path.isdir(pathdir):
os.makedirs(pathdir) try:
os.makedirs(pathdir, mode=0700)
except OSError, e:
raise errors.AnsibleError("cannot create the path for the password lookup: %s (error was %s)" % (pathdir, str(e)))
chars = "".join([getattr(string,c,c) for c in use_chars]).replace('"','').replace("'",'') chars = "".join([getattr(string,c,c) for c in use_chars]).replace('"','').replace("'",'')
password = ''.join(random.choice(chars) for _ in range(length)) password = ''.join(random.choice(chars) for _ in range(length))
@ -91,6 +94,7 @@ class LookupModule(object):
else: else:
content = password content = password
with open(path, 'w') as f: with open(path, 'w') as f:
os.chmod(path, 0600)
f.write(content + '\n') f.write(content + '\n')
else: else:
content = open(path).read().rstrip() content = open(path).read().rstrip()
@ -108,10 +112,12 @@ class LookupModule(object):
salt = self.random_salt() salt = self.random_salt()
content = '%s salt=%s' % (password, salt) content = '%s salt=%s' % (password, salt)
with open(path, 'w') as f: with open(path, 'w') as f:
os.chmod(path, 0600)
f.write(content + '\n') f.write(content + '\n')
# crypt not requested, remove salt if present # crypt not requested, remove salt if present
elif (encrypt is None and salt): elif (encrypt is None and salt):
with open(path, 'w') as f: with open(path, 'w') as f:
os.chmod(path, 0600)
f.write(password + '\n') f.write(password + '\n')
if encrypt: if encrypt:

29
test/integration/roles/test_lookups/tasks/main.yml
View file

@ -36,20 +36,41 @@
# PASSWORD LOOKUP # PASSWORD LOOKUP
- name: remove previous password files - name: remove previous password files
file: dest={{output_dir}}/password state=absent file: dest={{output_dir}}/lookup/password state=absent
with_items:
- "{{output_dir}}/lookup/password"
- "{{output_dir}}/lookup"
- name: create a password file - name: create a password file
set_fact: set_fact:
newpass: "{{ lookup('password', output_dir + '/password length=8') }}" newpass: "{{ lookup('password', output_dir + '/lookup/password length=8') }}"
- name: stat the password file directory
stat: path="{{output_dir}}/lookup"
register: result
- name: assert the directory's permissions
assert:
that:
- result.stat.mode == '0700'
- name: stat the password file
stat: path="{{output_dir}}/lookup/password"
register: result
- name: assert the directory's permissions
assert:
that:
- result.stat.mode == '0600'
- name: get password length - name: get password length
shell: wc -c {{output_dir}}/password | awk '{print $1}' shell: wc -c {{output_dir}}/lookup/password | awk '{print $1}'
register: wc_result register: wc_result
- debug: var=wc_result.stdout - debug: var=wc_result.stdout
- name: read password - name: read password
shell: cat {{output_dir}}/password shell: cat {{output_dir}}/lookup/password
register: cat_result register: cat_result
- debug: var=cat_result.stdout - debug: var=cat_result.stdout