From d9aa14feea422af7d39d8291277115b9b1f7f10e Mon Sep 17 00:00:00 2001 From: Lukas Pirl Date: Tue, 28 Jul 2015 19:24:23 +1200 Subject: [PATCH] fixes remote code execution for su/sudo and strict remote umasks * temporarily changes umask for creating temporary directories * otherwise parent directories may not get chmod'ed and end up unreadable refs #9902 --- lib/ansible/plugins/action/__init__.py | 2 +- lib/ansible/plugins/shell/sh.py | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index 87327ed2b4..dd3d1dbcaf 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -144,7 +144,7 @@ class ActionBase: tmp_mode = None if self._play_context.remote_user != 'root' or self._play_context.become and self._play_context.become_user != 'root': - tmp_mode = 'a+rx' + tmp_mode = 0755 cmd = self._connection._shell.mkdtemp(basefile, use_system_tmp, tmp_mode) self._display.debug("executing _low_level_execute_command to create the tmp path") diff --git a/lib/ansible/plugins/shell/sh.py b/lib/ansible/plugins/shell/sh.py index 70ec91d6e5..1464fd09fa 100644 --- a/lib/ansible/plugins/shell/sh.py +++ b/lib/ansible/plugins/shell/sh.py @@ -65,9 +65,14 @@ class ShellModule(object): if system and (basetmp.startswith('$HOME') or basetmp.startswith('~/')): basetmp = self.join_path('/tmp', basefile) cmd = 'mkdir -p "%s"' % basetmp - if mode: - cmd += ' && chmod %s "%s"' % (mode, basetmp) cmd += ' && echo "%s"' % basetmp + + # change the umask in a subshell to achieve the desired mode + # also for directories created with `mkdir -p` + if mode: + tmp_umask = 0777 & ~mode + cmd = '(umask %o && %s)' % (tmp_umask, cmd) + return cmd def expand_user(self, user_home_path):