If the pipe filter is not working in a way that it previously worked, please file a bug and we will look into it.
On Tue, Mar 11, 2014 at 4:25 PM, <[email protected]> wrote: > Hello, > > Are there any plans to give users the option of re-enabling execution > via shell (for the pipe lookup module in particular) or is it to be > considered "officially wrong" from now on? We're using something like: > macro_new_pass32: "{{ lookup('pipe','cat /dev/urandom | tr -dc A-Za-z0-9 | > head -c32') }}" > to generate temporary throw away passwords without putting them into a > file on the local machine (like the password lookup) which this change > breaks. > > > On Monday, March 10, 2014 11:23:45 PM UTC, Michael DeHaan wrote: >> >> Ansible 1.5.1 Release Notes >> >> Today we're releasing Ansible 1.5.1 which contains three security >> fixes/upgrades as well as a few assorted bugfixes that have been applied >> since the 1.5 release. An upgrade is suggested for all users using vault, >> interacting with web-properties over https://, or those users allowing >> outside untrusted input to be passed as variables to their ansible >> playbooks. >> >> The security improvements are as follows: >> >> Ansible Vault has been updated in terms of how the cipher logic has been >> implemented to make the content harder to brute force. Using the "edit" or >> "rekey" functions in vault will automatically upgrade an existing >> vault-encrypted file to the new format, and the new format is also the >> method used for any new files that vault creates. Users are encouraged to >> upgrade their content as follows, and should also consider changing any >> passwords or keys in vault-encrypted files to take advantage of security >> upgrades, as the previous versions would still exist in SCM history or may >> have been copied by another party. >> >> cd your_playbook_directory/ >> >> find . -type f | xargs grep -l '$ANSIBLE_VAULT;1.0;AES' | xargs >> ansible-vault rekey >> >> Note that the version of pycrypto Vault now needs is newer than what is >> carried in the base channel of Red Hat and CentOS, so if you are using this >> distribution you may benefit from: >> >> yum install python-devel >> >> rpm -e --nodeps python-crypto >> >> pip install pycrypto >> >> If you have a downlevel version the system will warn you about this. If >> you are using vault, you need not worry about this dependency. >> >> Core ansible modules (other than the shell module) have been upgraded to >> avoid running user input through the shell. Some ansible users have >> proxied ansible behind a wrapper script or web proxy (including Ansible >> Tower), that allows users who do not personally have access to machines to >> be able to supply variables as input into playbook executions. This >> includes doing things such as providing a value to "--extra-args" that >> might contain a semicolon, allowing them to run commands as a remote user. >> Removing the ability to use the shell in all of these modules prevents >> command injection in this case. The shell module by design executes >> commands through the shell, so if user supplied variables are being fed to >> things executed by the shell module, consider using the "command" module >> instead or whether users supplying input are trustworthy. User developed >> modules can take advantage of these upgrades by using the "run_command" >> function in "module_utils", which will by default not allow any form of >> shell usage, which is now standard and required for all ansible modules in >> core. Regardless of this fix application, users of ansible should realize >> that any user that is allowed to write playbooks can control the systems >> upon which the playbooks are applied, which is intentional and by design. >> >> Finally, code that performs URL downloads of https:// URLs has been >> upgraded to validate the certificates where possible, unless a new >> parameter "validate_certs=no" is passed to the module. This ensures that >> web servers that are interacted with are signed by a known certificate >> authority. It is very likely that this may require playbook alteration to >> add a "validate_certs=no" to any modules like "get_url" that interact with >> self-signed web services, such as continuous integration servers. In the >> event that this should occur, the playbook will report an appropriate error >> message and reference the ability to add "validate_certs=no" to get around >> the error message. >> >> Ansible 1.5.1 is available now on http://releases.ansible.com as well as >> the python package index, via "pip install ansible". It is anticipated >> that distribution copies of the package, as well as other repositories, >> will pick this up soon. >> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/bbdaf9d2-6c35-4383-addb-e9ce40486c70%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/bbdaf9d2-6c35-4383-addb-e9ce40486c70%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAKEYsmPU6L-EJJsyUyn%2B9JPS8sqkRA83Ou4d1hfV9-dqjvbz4A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
