Hello,
Are there any plans to give users the option of re-enabling execution via
shell (for the pipe lookup module in particular) or is it to be considered
"officially wrong" from now on? We're using something like:
macro_new_pass32: "{{ lookup('pipe','cat /dev/urandom | tr -dc A-Za-z0-9 |
head -c32') }}"
to generate temporary throw away passwords without putting them into a file
on the local machine (like the password lookup) which this change breaks.
On Monday, March 10, 2014 11:23:45 PM UTC, Michael DeHaan wrote:
>
> Ansible 1.5.1 Release Notes
>
> Today we’re releasing Ansible 1.5.1 which contains three security
> fixes/upgrades as well as a few assorted bugfixes that have been applied
> since the 1.5 release. An upgrade is suggested for all users using vault,
> interacting with web-properties over https://, or those users allowing
> outside untrusted input to be passed as variables to their ansible
> playbooks.
>
> The security improvements are as follows:
>
> Ansible Vault has been updated in terms of how the cipher logic has been
> implemented to make the content harder to brute force. Using the “edit” or
> “rekey” functions in vault will automatically upgrade an existing
> vault-encrypted file to the new format, and the new format is also the
> method used for any new files that vault creates. Users are encouraged to
> upgrade their content as follows, and should also consider changing any
> passwords or keys in vault-encrypted files to take advantage of security
> upgrades, as the previous versions would still exist in SCM history or may
> have been copied by another party.
>
> cd your_playbook_directory/
>
> find . -type f | xargs grep -l '$ANSIBLE_VAULT;1.0;AES' | xargs
> ansible-vault rekey
>
> Note that the version of pycrypto Vault now needs is newer than what is
> carried in the base channel of Red Hat and CentOS, so if you are using this
> distribution you may benefit from:
>
> yum install python-devel
>
> rpm -e --nodeps python-crypto
>
> pip install pycrypto
>
> If you have a downlevel version the system will warn you about this. If
> you are using vault, you need not worry about this dependency.
>
> Core ansible modules (other than the shell module) have been upgraded to
> avoid running user input through the shell. Some ansible users have
> proxied ansible behind a wrapper script or web proxy (including Ansible
> Tower), that allows users who do not personally have access to machines to
> be able to supply variables as input into playbook executions. This
> includes doing things such as providing a value to “--extra-args” that
> might contain a semicolon, allowing them to run commands as a remote user.
> Removing the ability to use the shell in all of these modules prevents
> command injection in this case. The shell module by design executes
> commands through the shell, so if user supplied variables are being fed to
> things executed by the shell module, consider using the “command” module
> instead or whether users supplying input are trustworthy. User developed
> modules can take advantage of these upgrades by using the “run_command”
> function in “module_utils”, which will by default not allow any form of
> shell usage, which is now standard and required for all ansible modules in
> core. Regardless of this fix application, users of ansible should realize
> that any user that is allowed to write playbooks can control the systems
> upon which the playbooks are applied, which is intentional and by design.
>
> Finally, code that performs URL downloads of https:// URLs has been
> upgraded to validate the certificates where possible, unless a new
> parameter “validate_certs=no” is passed to the module. This ensures that
> web servers that are interacted with are signed by a known certificate
> authority. It is very likely that this may require playbook alteration to
> add a “validate_certs=no” to any modules like “get_url” that interact with
> self-signed web services, such as continuous integration servers. In the
> event that this should occur, the playbook will report an appropriate error
> message and reference the ability to add “validate_certs=no” to get around
> the error message.
>
> Ansible 1.5.1 is available now on http://releases.ansible.com as well as
> the python package index, via “pip install ansible”. It is anticipated
> that distribution copies of the package, as well as other repositories,
> will pick this up soon.
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/bbdaf9d2-6c35-4383-addb-e9ce40486c70%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
