ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-25 03:41:25 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

SSH connection plugin creates ControlPersist socket files in a secure directory

Browse source 
Files were being created in /tmp, but will now be created in $HOME/.ansible/cp/
Addresses CVE-2013-4259: ansible uses a socket with predictable filename in /tmp
This commit is contained in:
James Cammarata 2013-08-20 12:03:50 -05:00
parent ae98a025bb
commit 6bf5d19506
2 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

14
lib/ansible/runner/connection_plugins/ssh.py
View file

@ -43,6 +43,7 @@ class Connection(object):
self.user = user
self.password = password
self.private_key_file = private_key_file
self.cp_dir = utils.prepare_writeable_dir('$HOME/.ansible/cp',mode=0700)
self.HASHED_KEY_MAGIC = "|1|"
def connect(self):
@ -57,7 +58,18 @@ class Connection(object):
else:
self.common_args += ["-o", "ControlMaster=auto",
"-o", "ControlPersist=60s",
"-o", "ControlPath=/tmp/ansible-ssh-%h-%p-%r"]
"-o", "ControlPath=%s/ansible-ssh-%%h-%%p-%%r" % self.cp_dir]
cp_in_use = False
cp_path_set = False
for arg in self.common_args:
if arg.find("ControlPersist") != -1:
cp_in_use = True
if arg.find("ControlPath") != -1:
cp_path_set = True
if cp_in_use and not cp_path_set:
self.common_args += ["-o", "ControlPath=%s/ansible-ssh-%%h-%%p-%%r" % self.cp_dir]
if not C.HOST_KEY_CHECKING:
self.common_args += ["-o", "StrictHostKeyChecking=no"]