Browse Source

Ensure get-pip cannot be modified

We don't ensure the permissions of the fetched file on the
download location. Sadly /tmp is a known place where users can
write files.

This is a problem, as a potential race condition could appear,
where get-pip is modifiable on /tmp/ folder by another user,
leading to privilege escalation.

Change-Id: I041db3412e228efe8a0d9a87f4cfba206482c729
Jean-Philippe Evrard 8 months ago
parent
commit
039d884e29
1 changed files with 3 additions and 1 deletions
  1. 3
    1
      tasks/install_offline.yml

+ 3
- 1
tasks/install_offline.yml View File

@@ -21,6 +21,7 @@
21 21
         dest: "/tmp/get-pip.py"
22 22
         force: "yes"
23 23
         validate_certs: "{{ pip_validate_certs }}"
24
+        mode: "0500"
24 25
       register: get_pip_local
25 26
       until: get_pip_local is success
26 27
       retries: 5
@@ -40,7 +41,8 @@
40 41
         dest: "/tmp/get-pip.py"
41 42
         force: "yes"
42 43
         validate_certs: "{{ pip_validate_certs }}"
43
-      when: get_pip_local  is failed
44
+        mode: "0500"
45
+      when: get_pip_local is failed
44 46
       register: get_pip_local_fallback
45 47
       until: get_pip_local_fallback is success
46 48
       retries: 5

Loading…
Cancel
Save