Browse Source

[Victoria and bellow] Ensure rights on the ansible.log file

When mistral starts the Ansible action, a log file is created runtime.
But nothing takes care of its access right, leading to potential data
leaks to unprivileged users (default mode is 0644).

This patch creates the logfile beforehands, and sets the needed rights
on it.

Change-Id: Ica1b5c0a165cc06fac668513114eef2b4ba73f56
Closes-Bug: #1918138
(cherry picked from commit d485407159)
changes/89/780889/1
Cédric Jeanneret 2 months ago
committed by Cedric Jeanneret
parent
commit
fdd5c0c091
1 changed files with 5 additions and 0 deletions
  1. +5
    -0
      tripleo_common/actions/ansible.py

+ 5
- 0
tripleo_common/actions/ansible.py View File

@ -121,6 +121,11 @@ def write_default_ansible_cfg(work_dir,
datetime.now().strftime("%Y-%m-%dT%H:%M:%S"))
os.rename(log_path, new_path)
# Create the log file, and set some rights on it in order to prevent
# unwanted access
open(log_path, 'a').close()
os.chmod(log_path, 0o640)
config.set('defaults', 'forks', str(min(
multiprocessing.cpu_count() * 4, 100)))
config.set('defaults', 'timeout', '30')


Loading…
Cancel
Save