Risky File Permissions
- Query id: 88841d5c-d22d-4b7e-a6a0-89ca50e44b9f
- Query name: Risky File Permissions
- Platform: Ansible
- Severity: Info
- Category: Supply-Chain
- CWE: Ongoing
- URL: Github
Description¶
Some modules could end up creating new files on disk with permissions that might be too open or unpredictable
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: PRESERVE_MODE
tasks:
- name: not preserve value
ansible.builtin.file:
path: foo
mode: preserve
---
- name: MISSING_PERMISSIONS_TOUCH
tasks:
- name: Permissions missing
file:
path: foo
state: touch
- name: Permissions missing 2x
ansible.builtin.file:
path: foo
state: touch
---
- name: MISSING_PERMISSIONS_DIRECTORY
tasks:
- name: Permissions missing 3x
file:
path: foo
state: directory
- name: create is true
ansible.builtin.lineinfile:
path: foo
create: true
line: some content here
---
- name: MISSING_PERMISSIONS_GET_URL
tasks:
- name: Permissions missing 4x
get_url:
url: http://foo
dest: foo
---
- name: LINEINFILE_CREATE
tasks:
- name: create is true 2x
ansible.builtin.lineinfile:
path: foo
create: true
line: some content here
---
- name: REPLACE_PRESERVE
tasks:
- name: not preserve mode 2x
replace:
path: foo
mode: preserve
regexp: foo
---
- name: NOT_PERMISSION
tasks:
- name: Not Permissions
file:
path: foo
owner: root
group: root
state: directory
---
- name: LINEINFILE_CREATE2
tasks:
- name: create_false
ansible.builtin.lineinfile:
path: foo
create: true
line: some content here
mode: preserve
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
---
- name: SUCCESS_PERMISSIONS_PRESENT
hosts: all
tasks:
- name: Permissions not missing and numeric
ansible.builtin.file:
path: foo
mode: "0600"
---
- name: SUCCESS_PERMISSIONS_PRESENT_GET_URL
hosts: all
tasks:
- name: Permissions not missing and numeric
ansible.builtin.get_url:
url: http://foo
dest: foo
mode: "0600"
---
- name: SUCCESS_ABSENT_STATE
hosts: all
tasks:
- name: Permissions missing while state is absent is fine
ansible.builtin.file:
path: foo
state: absent
---
- name: SUCCESS_DEFAULT_STATE
hosts: all
tasks:
- name: Permissions missing while state is file (default) is fine
ansible.builtin.file:
path: foo
---
- name: SUCCESS_LINK_STATE
hosts: all
tasks:
- name: Permissions missing while state is link is fine
ansible.builtin.file:
path: foo2
src: foo
state: link
---
- name: SUCCESS_CREATE_FALSE
hosts: all
tasks:
- name: File edit when create is false
ansible.builtin.lineinfile:
path: foo
create: false
line: some content here
---
- name: SUCCESS_REPLACE
hosts: all
tasks:
- name: Replace should not require mode
ansible.builtin.replace:
path: foo
regexp: foo
---
- name: SUCCESS_RECURSE
hosts: all
tasks:
- name: File with recursive does not require mode
ansible.builtin.file:
state: directory
recurse: true
path: foo
- name: Permissions not missing and numeric (fqcn)
ansible.builtin.file:
path: bar
mode: "755"
- name: File edit when create is false (fqcn)
ansible.builtin.lineinfile:
path: foo
create: false
line: some content here
---
- name: LINIINFILE_CREATE
tasks:
- name: create is true 2x
lineinfile:
path: foo
line: some content here
mode: "0600"
---
- name: PRESERVE_MODE
tasks:
- name: not preserve value
copy:
path: foo
mode: preserve
---
- name: LINEINFILE_CREATE2
tasks:
- name: create_false
ansible.builtin.lineinfile:
path: foo
create: true
line: some content here
mode: "644"