Risky File Permissions

  • Query id: 88841d5c-d22d-4b7e-a6a0-89ca50e44b9f
  • Query name: Risky File Permissions
  • Platform: Ansible
  • Severity: Info
  • Category: Supply-Chain
  • CWE: 732
  • URL: Github

Description

Some modules could end up creating new files on disk with permissions that might be too open or unpredictable
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
---
- name: PRESERVE_MODE
  tasks:
    - name: not preserve value
      ansible.builtin.file:
        path: foo
        mode: preserve

---
- name: MISSING_PERMISSIONS_TOUCH
  tasks:
    - name: Permissions missing
      file:
        path: foo
        state: touch
    - name: Permissions missing 2x
      ansible.builtin.file:
        path: foo
        state: touch

---
- name: MISSING_PERMISSIONS_DIRECTORY
  tasks:
    - name: Permissions missing 3x
      file:
        path: foo
        state: directory
    - name: create is true
      ansible.builtin.lineinfile:
        path: foo
        create: true
        line: some content here

---
- name: MISSING_PERMISSIONS_GET_URL
  tasks:
    - name: Permissions missing 4x
      get_url:
        url: http://foo
        dest: foo

---
- name: LINEINFILE_CREATE
  tasks:
    - name: create is true 2x
      ansible.builtin.lineinfile:
        path: foo
        create: true
        line: some content here

---
- name: REPLACE_PRESERVE
  tasks:
    - name: not preserve mode 2x
      replace:
        path: foo
        mode: preserve
        regexp: foo

---
- name: NOT_PERMISSION
  tasks:
    - name: Not Permissions
      file:
        path: foo
        owner: root
        group: root
        state: directory

---
- name: LINEINFILE_CREATE2
  tasks:
    - name: create_false
      ansible.builtin.lineinfile:
        path: foo
        create: true
        line: some content here
        mode: preserve

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
---
- name: SUCCESS_PERMISSIONS_PRESENT
  hosts: all
  tasks:
    - name: Permissions not missing and numeric
      ansible.builtin.file:
        path: foo
        mode: "0600"

---
- name: SUCCESS_PERMISSIONS_PRESENT_GET_URL
  hosts: all
  tasks:
    - name: Permissions not missing and numeric
      ansible.builtin.get_url:
        url: http://foo
        dest: foo
        mode: "0600"

---
- name: SUCCESS_ABSENT_STATE
  hosts: all
  tasks:
    - name: Permissions missing while state is absent is fine
      ansible.builtin.file:
        path: foo
        state: absent

---
- name: SUCCESS_DEFAULT_STATE
  hosts: all
  tasks:
    - name: Permissions missing while state is file (default) is fine
      ansible.builtin.file:
        path: foo

---
- name: SUCCESS_LINK_STATE
  hosts: all
  tasks:
    - name: Permissions missing while state is link is fine
      ansible.builtin.file:
        path: foo2
        src: foo
        state: link

---
- name: SUCCESS_CREATE_FALSE
  hosts: all
  tasks:
    - name: File edit when create is false
      ansible.builtin.lineinfile:
        path: foo
        create: false
        line: some content here

---
- name: SUCCESS_REPLACE
  hosts: all
  tasks:
    - name: Replace should not require mode
      ansible.builtin.replace:
        path: foo
        regexp: foo

---
- name: SUCCESS_RECURSE
  hosts: all
  tasks:
    - name: File with recursive does not require mode
      ansible.builtin.file:
        state: directory
        recurse: true
        path: foo
    - name: Permissions not missing and numeric (fqcn)
      ansible.builtin.file:
        path: bar
        mode: "755"
    - name: File edit when create is false (fqcn)
      ansible.builtin.lineinfile:
        path: foo
        create: false
        line: some content here

---
- name: LINIINFILE_CREATE
  tasks: 
    - name: create is true 2x
      lineinfile:
        path: foo
        line: some content here
        mode: "0600"

---
- name: PRESERVE_MODE
  tasks:
    - name: not preserve value
      copy:
        path: foo
        mode: preserve

---
- name: LINEINFILE_CREATE2
  tasks:
    - name: create_false
      ansible.builtin.lineinfile:
        path: foo
        create: true
        line: some content here
        mode: "644"