From 37ca7222bb83ff0de15c0502551b7e9e0960983a Mon Sep 17 00:00:00 2001 From: Sam Yaple Date: Sun, 5 Jul 2015 07:20:16 +0000 Subject: [PATCH] fix possible symlink attack with ansible The commands used to create a temporary file on the localhost were vulnerable to a symlink attack. Removing the shell module and ensuring the ansible copy and file module is used will verify this file exists as a file with the correct permissions and ownership Change-Id: I829483edf1435e41726ebfe1bc826e0c2e5265e3 Closes-Bug: 1471376 --- ansible/roles/database/tasks/bootstrap.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ansible/roles/database/tasks/bootstrap.yml b/ansible/roles/database/tasks/bootstrap.yml index 6653ebbd75..82b23bfa7b 100644 --- a/ansible/roles/database/tasks/bootstrap.yml +++ b/ansible/roles/database/tasks/bootstrap.yml @@ -1,9 +1,13 @@ --- -- name: Creating temp file on localhost - local_action: shell echo 'None' > /tmp/kolla_mariadb_cluster - register: status +- name: Cleaning up temp file on localhost + local_action: file path=/tmp/kolla_mariadb_cluster state=absent + changed_when: False + always_run: True + run_once: True + +- name: Creating temp file on localhost + local_action: copy content=None dest=/tmp/kolla_mariadb_cluster owner=root group=root mode=0600 changed_when: False - failed_when: status.rc != 0 always_run: True run_once: True @@ -17,10 +21,8 @@ run_once: True - name: Writing hostname of host with existing cluster files to temp file - local_action: shell echo "{{ ansible_hostname }}" > /tmp/kolla_mariadb_cluster - register: status + local_action: copy content={{ ansible_hostname }} dest=/tmp/kolla_mariadb_cluster owner=root group=root mode=0600 changed_when: False - failed_when: status.rc != 0 always_run: True when: exists.rc == 0 @@ -29,10 +31,8 @@ delegate_host: "{{ lookup('file', '/tmp/kolla_mariadb_cluster') }}" - name: Cleaning up temp file on localhost - local_action: shell rm /tmp/kolla_mariadb_cluster - register: status + local_action: file path=/tmp/kolla_mariadb_cluster state=absent changed_when: False - failed_when: status.rc != 0 always_run: True run_once: True