5260527c4a
* Change default file permissions so they are not world readable CVE-2020-1736 Set the default permissions for files we create with atomic_move() to 0o0660. Track which files we create that did not exist and warn if the module supports 'mode' and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults. A code audit is needed to find all instances of modules that call atomic_move() but do not call set_mode_if_different(). The findings need to be documented in a changelog since we are not warning. Warning in those instances would be frustrating to the user since they have no way to change the module code. - use a set for storing list of created files - just check the argument spac and params rather than using another property - improve the warning message to include the default permissions
4 lines
211 B
YAML
4 lines
211 B
YAML
bugfixes:
|
|
- >
|
|
**security issue** atomic_move - change default permissions when creating
|
|
temporary files so they are not world readable (https://github.com/ansible/ansible/issues/67794) (CVE-2020-1736)
|