[Victoria and bellow] Ensure rights on the ansible.log file

When mistral starts the Ansible action, a log file is created runtime. But nothing takes care of its access right, leading to potential data leaks to unprivileged users (default mode is 0644). This patch creates the logfile beforehands, and sets the needed rights on it. Change-Id: Ica1b5c0a165cc06fac668513114eef2b4ba73f56 Closes-Bug: #1918138 (cherry picked from commit d485407159) (cherry picked from commit fdd5c0c091)
2021-03-08 14:35:55 +01:00 · 2021-03-08 14:35:55 +01:00 · 32e2249e41
parent dbdaa05dc6
commit 32e2249e41
1 changed files with 5 additions and 0 deletions
--- a/tripleo_common/actions/ansible.py
+++ b/tripleo_common/actions/ansible.py
@ -119,6 +119,11 @@ def write_default_ansible_cfg(work_dir,
                    datetime.now().strftime("%Y-%m-%dT%H:%M:%S"))
        os.rename(log_path, new_path)

+    # Create the log file, and set some rights on it in order to prevent
+    # unwanted access
+    open(log_path, 'a').close()
+    os.chmod(log_path, 0o640)
+
    config.set('defaults', 'forks', str(min(
        multiprocessing.cpu_count() * 4, 100)))
    config.set('defaults', 'timeout', '30')