Ensure get-pip cannot be modified
We don't ensure the permissions of the fetched file on the download location. Sadly /tmp is a known place where users can write files. This is a problem, as a potential race condition could appear, where get-pip is modifiable on /tmp/ folder by another user, leading to privilege escalation. Change-Id: I041db3412e228efe8a0d9a87f4cfba206482c729
This commit is contained in:
parent
742b0e5744
commit
039d884e29
|
@ -21,6 +21,7 @@
|
||||||
dest: "/tmp/get-pip.py"
|
dest: "/tmp/get-pip.py"
|
||||||
force: "yes"
|
force: "yes"
|
||||||
validate_certs: "{{ pip_validate_certs }}"
|
validate_certs: "{{ pip_validate_certs }}"
|
||||||
|
mode: "0500"
|
||||||
register: get_pip_local
|
register: get_pip_local
|
||||||
until: get_pip_local is success
|
until: get_pip_local is success
|
||||||
retries: 5
|
retries: 5
|
||||||
|
@ -40,7 +41,8 @@
|
||||||
dest: "/tmp/get-pip.py"
|
dest: "/tmp/get-pip.py"
|
||||||
force: "yes"
|
force: "yes"
|
||||||
validate_certs: "{{ pip_validate_certs }}"
|
validate_certs: "{{ pip_validate_certs }}"
|
||||||
when: get_pip_local is failed
|
mode: "0500"
|
||||||
|
when: get_pip_local is failed
|
||||||
register: get_pip_local_fallback
|
register: get_pip_local_fallback
|
||||||
until: get_pip_local_fallback is success
|
until: get_pip_local_fallback is success
|
||||||
retries: 5
|
retries: 5
|
||||||
|
|
Loading…
Reference in New Issue