Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unsafe /tmp/ file use in ceph-ansible

See original GitHub issue

Bug Report

Hi,

I’ve been migrating our local setup to v3.0.39, and discovered that ceph-ansible is now using predictable files/filenames in /tmp instead of e.g. the Ansible tempfile module in several places This is not best security practice (cf https://cwe.mitre.org/data/definitions/377.html and more generally https://cwe.mitre.org/data/definitions/376.html )

eg 1: roles/ceph-config/tasks/main.yml

  - name: template ceph_conf_overrides
    copy:
      content: "{{ ceph_conf_overrides }}"
      dest: "/tmp/ceph_conf_overrides_temp_{{ ansible_hostname }}"

eg 2: roles/ceph-docker-common/tasks/fetch_image.yml

- name: export local ceph dev image
  local_action:
    module: command
      docker save -o "/tmp/{{ ceph_docker_username }}-{{ ceph_docker_imagename }}-{{ ceph_docker_image_tag }}.tar" "{{ ceph_docker_username }}/{{ ceph_docker_imagename }}:{{ ceph_docker_image_tag }}"
  when:
    - (ceph_docker_dev_image is defined and ceph_docker_dev_image)
  run_once: true
                                                                               -
- name: copy ceph dev image file
  copy:
    src: "/tmp/{{ ceph_docker_username }}-{{ ceph_docker_imagename }}-{{ ceph_docker_image_tag}}.tar"
    dest: "/tmp/{{ ceph_docker_username }}-{{ ceph_docker_imagename }}-{{ ceph_docker_image_tag }}.tar"
  when:
    - (ceph_docker_dev_image is defined and ceph_docker_dev_image)

eg 3: roles/ceph-defaults/handlers/main.yml

- name: copy mon restart script
  template:
    src: restart_mon_daemon.sh.j2
    dest: /tmp/restart_mon_daemon.sh
    owner: root
    group: root
    mode: 0750

[and many examples in that file]

git grep /tmp is probably a good way to find most/all of these. The right thing to do, I think, is instead use tempfile and register the path it returns.

Environment:

Ubuntu 16.04
kernel 4.4.0-93-generic
Ansible 2.4.4.0
ceph-ansible version v3.0.39
ceph version 10.2.9 (Jewel)

Issue Analytics

State:
Created 5 years ago
Comments:16 (12 by maintainers)

Top GitHub Comments

1reaction

mcv21commented, Sep 19, 2018

Hi, Any chance of a review (or, better a pull 😃 ) on the PRs I put in to fix this issue, please? Thanks.

0reactions

dsavineaucommented, Aug 4, 2020

The associated PR has been merged

Top Results From Across the Web

1850059 – OC deploy fails on ceph-ansible generate ceph.conf

Consider changing the remote tmp path in ansible.cfg to a path rooted in \\\"/tmp\\\", for more error information use -vvv.

The Many Perils of /tmp - Mike Salvatore's Blog

Audacity uses these temporary files for recovery in the event of a crash. Therefore, this temporary directory must have a predictable name ...

Configuring Ceph with Custom Config Settings (via ceph ...

When using ceph-ansible to deploy Ceph in containers, ... the playbook run temporary files, like the Ansible inventory and the ceph-ansible ...

Ceph Dashboard - Ceph Documentation

CephFS: List active file system clients and associated pools, including usage statistics. Evict active CephFS clients. Manage CephFS quotas and snapshots.

ceph-base.yaml - tripleo-heat-templates - OpenDev

default: ''. description: Filesystem path on undercloud to persist a copy of the data. from the ceph-ansible fetch directory. Used as an alternative....