Unsafe /tmp/ file use in ceph-ansible
See original GitHub issueBug Report
Hi,
I’ve been migrating our local setup to v3.0.39, and discovered that ceph-ansible is now using predictable files/filenames in /tmp
instead of e.g. the Ansible tempfile
module in several places This is not best security practice (cf https://cwe.mitre.org/data/definitions/377.html and more generally https://cwe.mitre.org/data/definitions/376.html )
eg 1: roles/ceph-config/tasks/main.yml
- name: template ceph_conf_overrides
copy:
content: "{{ ceph_conf_overrides }}"
dest: "/tmp/ceph_conf_overrides_temp_{{ ansible_hostname }}"
eg 2: roles/ceph-docker-common/tasks/fetch_image.yml
- name: export local ceph dev image
local_action:
module: command
docker save -o "/tmp/{{ ceph_docker_username }}-{{ ceph_docker_imagename }}-{{ ceph_docker_image_tag }}.tar" "{{ ceph_docker_username }}/{{ ceph_docker_imagename }}:{{ ceph_docker_image_tag }}"
when:
- (ceph_docker_dev_image is defined and ceph_docker_dev_image)
run_once: true
-
- name: copy ceph dev image file
copy:
src: "/tmp/{{ ceph_docker_username }}-{{ ceph_docker_imagename }}-{{ ceph_docker_image_tag}}.tar"
dest: "/tmp/{{ ceph_docker_username }}-{{ ceph_docker_imagename }}-{{ ceph_docker_image_tag }}.tar"
when:
- (ceph_docker_dev_image is defined and ceph_docker_dev_image)
eg 3: roles/ceph-defaults/handlers/main.yml
- name: copy mon restart script
template:
src: restart_mon_daemon.sh.j2
dest: /tmp/restart_mon_daemon.sh
owner: root
group: root
mode: 0750
[and many examples in that file]
git grep /tmp
is probably a good way to find most/all of these. The right thing to do, I think, is instead use tempfile
and register the path
it returns.
Environment:
- Ubuntu 16.04
- kernel 4.4.0-93-generic
- Ansible 2.4.4.0
- ceph-ansible version v3.0.39
- ceph version 10.2.9 (Jewel)
Issue Analytics
- State:
- Created 5 years ago
- Comments:16 (12 by maintainers)
Top Results From Across the Web
1850059 – OC deploy fails on ceph-ansible generate ceph.conf
Consider changing the remote tmp path in ansible.cfg to a path rooted in \\\"/tmp\\\", for more error information use -vvv.
Read more >The Many Perils of /tmp - Mike Salvatore's Blog
Audacity uses these temporary files for recovery in the event of a crash. Therefore, this temporary directory must have a predictable name ...
Read more >Configuring Ceph with Custom Config Settings (via ceph ...
When using ceph-ansible to deploy Ceph in containers, ... the playbook run temporary files, like the Ansible inventory and the ceph-ansible ...
Read more >Ceph Dashboard - Ceph Documentation
CephFS: List active file system clients and associated pools, including usage statistics. Evict active CephFS clients. Manage CephFS quotas and snapshots.
Read more >ceph-base.yaml - tripleo-heat-templates - OpenDev
default: ''. description: Filesystem path on undercloud to persist a copy of the data. from the ceph-ansible fetch directory. Used as an alternative....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi, Any chance of a review (or, better a pull 😃 ) on the PRs I put in to fix this issue, please? Thanks.
The associated PR has been merged