Always remove temporary file containing passwords

When generating or updating the passwords.yml file for kolla-ansible,
kayobe writes out various stages of the process to temporary files
in /tmp, in plain text. One of these files can be left in place if
there are no changes to apply to the file.

This change ensures that we always remove temporary files containing
passwords. We also switch from shutil.copy2 to shutil.copyfile, to
keep the permissions of the destination rather than applying those of
the source, which are typically more open (644 vs 600).

Depends-On: https://review.openstack.org/647858
Change-Id: Icb290fd22dc01567a4297a42f5e4d765e3b57d37
Story: 2005299
Task: 30187
This commit is contained in:
Mark Goddard 2019-03-26 14:42:33 +00:00
parent 81e3c8a282
commit 7ca0cd0cb8
2 changed files with 31 additions and 6 deletions

View File

@ -111,13 +111,13 @@ def kolla_passwords(module):
temp_file_path = create_named_tempfile() temp_file_path = create_named_tempfile()
try: try:
# Start with kolla's sample password file. # Start with kolla's sample password file.
shutil.copy2(module.params['sample'], temp_file_path) shutil.copyfile(module.params['sample'], temp_file_path)
# If passwords exist, decrypt and merge these in. # If passwords exist, decrypt and merge these in.
if module.params['src'] and os.path.isfile(module.params['src']): if module.params['src'] and os.path.isfile(module.params['src']):
src_path = create_named_tempfile() src_path = create_named_tempfile()
try: try:
shutil.copy2(module.params['src'], src_path) shutil.copyfile(module.params['src'], src_path)
if module.params['vault_password']: if module.params['vault_password']:
vault_decrypt(module, src_path) vault_decrypt(module, src_path)
kolla_mergepwd(module, src_path, temp_file_path, temp_file_path) kolla_mergepwd(module, src_path, temp_file_path, temp_file_path)
@ -142,7 +142,7 @@ def kolla_passwords(module):
if module.params['vault_password']: if module.params['vault_password']:
dest_path = create_named_tempfile() dest_path = create_named_tempfile()
try: try:
shutil.copy2(module.params['dest'], dest_path) shutil.copyfile(module.params['dest'], dest_path)
vault_decrypt(module, dest_path) vault_decrypt(module, dest_path)
checksum_dest = module.sha1(dest_path) checksum_dest = module.sha1(dest_path)
finally: finally:
@ -162,10 +162,10 @@ def kolla_passwords(module):
if changed and not module.check_mode: if changed and not module.check_mode:
module.atomic_move(temp_file_path, module.params['dest']) module.atomic_move(temp_file_path, module.params['dest'])
except Exception as e: except Exception as e:
try: module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
finally:
if os.path.isfile(temp_file_path):
os.unlink(temp_file_path) os.unlink(temp_file_path)
finally:
module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
if not module.check_mode: if not module.check_mode:
# Update the file's attributes. # Update the file's attributes.

View File

@ -0,0 +1,25 @@
---
security:
- |
Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
where if the contents of the file have not changed, a plain text copy of the
file would be left in /tmp on the Ansible control host.
The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
user that runs kayobe, with permissions 664 (rw-rw-r--).
It is recommended to check any systems on which Kayobe has been run for
copies of the passwords file in /tmp. A simple check for this is `grep -rn
database_password /tmp`.
fixes:
- |
Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
where if the contents of the file have not changed, a plain text copy of the
file would be left in /tmp on the Ansible control host.
The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
user that runs kayobe, with permissions 664 (rw-rw-r--).
It is recommended to check any systems on which Kayobe has been run for
copies of the passwords file in /tmp. A simple check for this is `grep -rn
database_password /tmp`.