Always remove temporary file containing passwords
When generating or updating the passwords.yml file for kolla-ansible, kayobe writes out various stages of the process to temporary files in /tmp, in plain text. One of these files can be left in place if there are no changes to apply to the file. This change ensures that we always remove temporary files containing passwords. We also switch from shutil.copy2 to shutil.copyfile, to keep the permissions of the destination rather than applying those of the source, which are typically more open (644 vs 600). Depends-On: https://review.openstack.org/647858 Change-Id: Icb290fd22dc01567a4297a42f5e4d765e3b57d37 Story: 2005299 Task: 30187
This commit is contained in:
parent
81e3c8a282
commit
7ca0cd0cb8
@ -111,13 +111,13 @@ def kolla_passwords(module):
|
|||||||
temp_file_path = create_named_tempfile()
|
temp_file_path = create_named_tempfile()
|
||||||
try:
|
try:
|
||||||
# Start with kolla's sample password file.
|
# Start with kolla's sample password file.
|
||||||
shutil.copy2(module.params['sample'], temp_file_path)
|
shutil.copyfile(module.params['sample'], temp_file_path)
|
||||||
|
|
||||||
# If passwords exist, decrypt and merge these in.
|
# If passwords exist, decrypt and merge these in.
|
||||||
if module.params['src'] and os.path.isfile(module.params['src']):
|
if module.params['src'] and os.path.isfile(module.params['src']):
|
||||||
src_path = create_named_tempfile()
|
src_path = create_named_tempfile()
|
||||||
try:
|
try:
|
||||||
shutil.copy2(module.params['src'], src_path)
|
shutil.copyfile(module.params['src'], src_path)
|
||||||
if module.params['vault_password']:
|
if module.params['vault_password']:
|
||||||
vault_decrypt(module, src_path)
|
vault_decrypt(module, src_path)
|
||||||
kolla_mergepwd(module, src_path, temp_file_path, temp_file_path)
|
kolla_mergepwd(module, src_path, temp_file_path, temp_file_path)
|
||||||
@ -142,7 +142,7 @@ def kolla_passwords(module):
|
|||||||
if module.params['vault_password']:
|
if module.params['vault_password']:
|
||||||
dest_path = create_named_tempfile()
|
dest_path = create_named_tempfile()
|
||||||
try:
|
try:
|
||||||
shutil.copy2(module.params['dest'], dest_path)
|
shutil.copyfile(module.params['dest'], dest_path)
|
||||||
vault_decrypt(module, dest_path)
|
vault_decrypt(module, dest_path)
|
||||||
checksum_dest = module.sha1(dest_path)
|
checksum_dest = module.sha1(dest_path)
|
||||||
finally:
|
finally:
|
||||||
@ -162,10 +162,10 @@ def kolla_passwords(module):
|
|||||||
if changed and not module.check_mode:
|
if changed and not module.check_mode:
|
||||||
module.atomic_move(temp_file_path, module.params['dest'])
|
module.atomic_move(temp_file_path, module.params['dest'])
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
try:
|
module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
|
||||||
|
finally:
|
||||||
|
if os.path.isfile(temp_file_path):
|
||||||
os.unlink(temp_file_path)
|
os.unlink(temp_file_path)
|
||||||
finally:
|
|
||||||
module.fail_json(msg="Failed to generate kolla passwords: %s" % repr(e))
|
|
||||||
|
|
||||||
if not module.check_mode:
|
if not module.check_mode:
|
||||||
# Update the file's attributes.
|
# Update the file's attributes.
|
||||||
|
25
releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml
Normal file
25
releasenotes/notes/passwords-in-tmp-18e55d5e9b894b4d.yaml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
|
||||||
|
where if the contents of the file have not changed, a plain text copy of the
|
||||||
|
file would be left in /tmp on the Ansible control host.
|
||||||
|
|
||||||
|
The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
|
||||||
|
user that runs kayobe, with permissions 664 (rw-rw-r--).
|
||||||
|
|
||||||
|
It is recommended to check any systems on which Kayobe has been run for
|
||||||
|
copies of the passwords file in /tmp. A simple check for this is `grep -rn
|
||||||
|
database_password /tmp`.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes an issue when generating the ``passwords.yml`` file for Kolla Ansible
|
||||||
|
where if the contents of the file have not changed, a plain text copy of the
|
||||||
|
file would be left in /tmp on the Ansible control host.
|
||||||
|
|
||||||
|
The temporary files are typically named /tmp/tmpXXXXXX, and are owned by the
|
||||||
|
user that runs kayobe, with permissions 664 (rw-rw-r--).
|
||||||
|
|
||||||
|
It is recommended to check any systems on which Kayobe has been run for
|
||||||
|
copies of the passwords file in /tmp. A simple check for this is `grep -rn
|
||||||
|
database_password /tmp`.
|
Loading…
Reference in New Issue
Block a user