diff options
| author | Rick Elrod <rick@elrod.me> | 2020-06-01 10:43:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-01 10:43:20 +0200 |
| commit | 2abaf320d746c8680a0ce595ad0de93639c7e539 (patch) | |
| tree | d3dbbeaa7b76cec5454041a5575d685c182585c0 | |
| parent | Enable logging using setup_loggers() API in dnf-4.2.17-6 or later (diff) | |
| download | ansible-2abaf320d746c8680a0ce595ad0de93639c7e539.tar.xz ansible-2abaf320d746c8680a0ce595ad0de93639c7e539.zip | |
[ansiballz] ensure that '' is not in sys.path (#69342)
Change:
On OpenBSD when using pipelining, we do not set cwd which results in a
permissions fatal. Ensure that `''` - cwd - is not in `sys.path`.
Test Plan:
Tested against local OpenBSD VM
Tickets:
Fixes #69320
Signed-off-by: Rick Elrod <rick@elrod.me>
| -rw-r--r-- | changelogs/fragments/69320-sys-path-cwd.yml | 2 | ||||
| -rw-r--r-- | docs/docsite/rst/porting_guides/porting_guide_2.10.rst | 1 | ||||
| -rw-r--r-- | lib/ansible/executor/module_common.py | 6 |
3 files changed, 7 insertions, 2 deletions
diff --git a/changelogs/fragments/69320-sys-path-cwd.yml b/changelogs/fragments/69320-sys-path-cwd.yml new file mode 100644 index 0000000000..2d86c450a0 --- /dev/null +++ b/changelogs/fragments/69320-sys-path-cwd.yml @@ -0,0 +1,2 @@ +bugfixes: + - ansiballz - remove '' and '.' from sys.path to fix a permissions issue on OpenBSD with pipelining (#69320) diff --git a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst index 54b2989c49..9b6073de00 100644 --- a/docs/docsite/rst/porting_guides/porting_guide_2.10.rst +++ b/docs/docsite/rst/porting_guides/porting_guide_2.10.rst @@ -138,6 +138,7 @@ Noteworthy module changes * The parameter ``message`` in :ref:`grafana_dashboard <grafana_dashboard_module>` module is renamed to ``commit_message`` since ``message`` is used by Ansible Core engine internally. * The parameter ``message`` in :ref:`datadog_monitor <datadog_monitor_module>` module is renamed to ``notification_message`` since ``message`` is used by Ansible Core engine internally. * The parameter ``message`` in :ref:`bigpanda <bigpanda_module>` module is renamed to ``deployment_message`` since ``message`` is used by Ansible Core engine internally. +* Ansible no longer looks for Python modules in the current working directory (typically the ``remote_user``'s home directory) when an Ansible module is run. This is to fix becoming an unprivileged user on OpenBSD and to mitigate any attack vector if the current working directory is writable by a malicious user. Install any Python modules needed to run the Ansible modules on the managed node in a system-wide location or in another directory which is in the ``remote_user``'s ``$PYTHONPATH`` and readable by the ``become_user``. Plugins diff --git a/lib/ansible/executor/module_common.py b/lib/ansible/executor/module_common.py index fea097cf90..05b1e8ab2f 100644 --- a/lib/ansible/executor/module_common.py +++ b/lib/ansible/executor/module_common.py @@ -143,8 +143,10 @@ def _ansiballz_main(): # OSX raises OSError if using abspath() in a directory we don't have # permission to read (realpath calls abspath) pass - if scriptdir is not None: - sys.path = [p for p in sys.path if p != scriptdir] + + # Strip cwd from sys.path to avoid potential permissions issues + excludes = set(('', '.', scriptdir)) + sys.path = [p for p in sys.path if p not in excludes] import base64 import runpy |