7e4cffc5d2
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit
|
||
---|---|---|
.. | ||
_vendor | ||
ansible_test | ||
cli | ||
compat | ||
config | ||
errors | ||
executor | ||
galaxy | ||
inventory | ||
inventory_test_data/group_vars | ||
mock | ||
module_utils | ||
modules | ||
parsing | ||
playbook | ||
plugins | ||
regex | ||
template | ||
utils | ||
vars | ||
__init__.py | ||
requirements.txt | ||
test_constants.py | ||
test_context.py |