Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure tempfiles #742

Merged
merged 3 commits into from
Jun 29, 2021
Merged

Secure tempfiles #742

merged 3 commits into from
Jun 29, 2021

Conversation

abadger
Copy link
Contributor

@abadger abadger commented Jun 28, 2021

Looking through the code, I found two separate race conditions with tempfile handling which can be exploited. One of those is mentioned in #738. The other one happens because we create a tempdir and then delete it, then later reuse its name. An attacker can pre-create the tempdir in between the deletion and the second creation with the reused name. This PR attempts to fix both.

Fixes #738

abadger added 3 commits June 28, 2021 16:30
…dtemp()

The previous code allowed for an easily exploitable race where the
attacker could pre-create a known directory name to gain access to
private files created by ansible-runner.  Using mkdtemp() closes that
hole because mkdtemp() ensures that the directory name returned has
been allocated with restrictive permissions by mkdtemp itself so the
attacker has no opportunity to inject their own directory.

Fixes ansible#738
The previous code allowed a race where an attacker could watch for
creation of a rapid creation and deletion of a temporary directory,
substitute their own directory at that name, and then have access to
ansible-runner's private_data_dir the next time ansible-runner made
ues of the private_data_dir.

This code fixes the issue by creating the directory securely using
mkdtemp() and not deleting it afterwards.
* Most tests just need to be changed to account for a default private_data_dir
  which doesn't have a predictable name.
* test_container_volmount_generation has several tests where mocking of
  os.path.exists for the _update_volume_mount_paths() function which was
  being tested interfered with proprer creation of a BaseConfig()
  object.  Moved the mocking to occur after the BaseConfig()
  instantiation to make those work.
@abadger abadger force-pushed the secure-tempfiles branch from 766fb5f to f1a4f78 Compare June 28, 2021 23:42
@ansible-zuul ansible-zuul bot removed the gate label Jun 28, 2021
@matburt matburt added the gate label Jun 29, 2021
@ansible-zuul ansible-zuul bot merged commit dcdb62d into ansible:devel Jun 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ansible-runner writes artifacts to world rw location by default
3 participants