From 9d4da943b3297d9616c6ecbb9b837b23b45050a2 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 26 Mar 2019 14:42:33 +0000 Subject: [PATCH] Always remove temporary file containing passwords When generating or updating the passwords.yml file for kolla-ansible, kayobe writes out various stages of the process to temporary files in /tmp, in plain text. One of these files can be left in place if there are no changes to apply to the file. This change ensures that we always remove temporary files containing passwords. We also switch from shutil.copy2 to shutil.copyfile, to keep the permissions of the destination rather than applying those of the source, which are typically more open (644 vs 600). Depends-On: https://review.openstack.org/647858 Change-Id: Icb290fd22dc01567a4297a42f5e4d765e3b57d37 Story: 2005299 Task: 30187 (cherry picked from commit 7ca0cd0cb8b8adc0e2a27168edde8d5706ca290e) --- .../kolla-ansible/library/kolla_passwords.py | 12 ++++----- .../passwords-in-tmp-18e55d5e9b894b4d.yaml | 25 +++++++++++++++++++ 2 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml diff --git a/ansible/roles/kolla-ansible/library/kolla_passwords.py b/ansible/roles/kolla-ansible/library/kolla_passwords.py index 47e1979b0..be461a92b 100644 --- a/ansible/roles/kolla-ansible/library/kolla_passwords.py +++ b/ansible/roles/kolla-ansible/library/kolla_passwords.py @@ -111,13 +111,13 @@ def kolla_passwords(module): temp_file_path = create_named_tempfile() try: # Start with kolla's sample password file. - shutil.copy2(module.params['sample'], temp_file_path) + shutil.copyfile(module.params['sample'], temp_file_path) # If passwords exist, decrypt and merge these in. if module.params['src'] and os.path.isfile(module.params['src']): src_path = create_named_tempfile() try: - shutil.copy2(module.params['src'], src_path) + shutil.copyfile(module.params['src'], src_path) if module.params['vault_password']: vault_decrypt(module, src_path) kolla_mergepwd(module, src_path, temp_file_path, temp_file_path) @@ -142,7 +142,7 @@ def kolla_passwords(module): if module.params['vault_password']: dest_path = create_named_tempfile() try: - shutil.copy2(module.params['dest'], dest_path) + shutil.copyfile(module.params['dest'], dest_path) vault_decrypt(module, dest_path) checksum_dest = module.sha1(dest_path) finally: @@ -162,10 +162,10 @@ def kolla_passwords(module): if changed and not module.check_mode: module.atomic_move(temp_file_path, module.params['dest']) except Exception as e: - try: + module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e)) + finally: + if os.path.isfile(temp_file_path): os.unlink(temp_file_path) - finally: - module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e)) if not module.check_mode: # Update the file's attributes. diff --git a/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml b/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml new file mode 100644 index 000000000..8dafda545 --- /dev/null +++ b/releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml @@ -0,0 +1,25 @@ +--- +security: + - | + Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible + where if the contents of the file have not changed, a plain text copy of the + file would be left in /tmp on the Ansible control host. + + The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the + user that runs kayobe, with permissions 664 (rw-rw-r--). + + It is recommended to check any systems on which Kayobe has been run for + copies of the passwords file in /tmp. A simple check for this is `grep -rn + database_password /tmp`. +fixes: + - | + Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible + where if the contents of the file have not changed, a plain text copy of the + file would be left in /tmp on the Ansible control host. + + The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the + user that runs kayobe, with permissions 664 (rw-rw-r--). + + It is recommended to check any systems on which Kayobe has been run for + copies of the passwords file in /tmp. A simple check for this is `grep -rn + database_password /tmp`.