ansible/test
Sam Doran 7e4cffc5d2
[stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824)
* Change default file permissions so they are not world readable

CVE-2020-1736

Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.

A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.

- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)

Co-authored-by: Sam Doran <sdoran@redhat.com>
2020-07-23 09:07:18 -07:00
..
ansible_test
integration [stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824) 2020-07-23 09:07:18 -07:00
lib/ansible_test [stable-2.10] Fix ansible-test virtualenv management. 2020-07-14 02:08:17 -07:00
sanity Collections docs generation backport (#70515) 2020-07-20 14:28:35 -07:00
support Deprecation revisited (#69926) 2020-06-09 15:21:19 -07:00
units [stable-2.10] Change default file permissions so they are not world readable (#70221) (#70824) 2020-07-23 09:07:18 -07:00
utils/shippable Remove temporary migration hack from CI scripts. 2020-06-16 11:25:39 -07:00