From d485407159ea6cb2c7abf6d5788d85147f433996 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Mon, 8 Mar 2021 14:35:55 +0100 Subject: [PATCH] [Victoria and bellow] Ensure rights on the ansible.log file When mistral starts the Ansible action, a log file is created runtime. But nothing takes care of its access right, leading to potential data leaks to unprivileged users (default mode is 0644). This patch creates the logfile beforehands, and sets the needed rights on it. Change-Id: Ica1b5c0a165cc06fac668513114eef2b4ba73f56 Closes-Bug: #1918138 --- tripleo_common/actions/ansible.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tripleo_common/actions/ansible.py b/tripleo_common/actions/ansible.py index 07fd9be65..157d9aed5 100644 --- a/tripleo_common/actions/ansible.py +++ b/tripleo_common/actions/ansible.py @@ -120,6 +120,11 @@ def write_default_ansible_cfg(work_dir, datetime.now().strftime("%Y-%m-%dT%H:%M:%S")) os.rename(log_path, new_path) + # Create the log file, and set some rights on it in order to prevent + # unwanted access + open(log_path, 'a').close() + os.chmod(log_path, 0o640) + config.set('defaults', 'forks', str(min( multiprocessing.cpu_count() * 4, 100))) config.set('defaults', 'timeout', '30')