diff options
| author | Toshio Kuratomi <a.badger@gmail.com> | 2018-08-03 10:39:33 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-08-03 10:39:33 -0700 |
| commit | 30662bedadda1cc00efb1946e8f75c5b9fb42d66 (patch) | |
| tree | a4e6b6485a0dd11d94f25362adc7da73dce8afc6 /docs/templates | |
| parent | 48280463f2c8e60a222ac793fafb118ad9ce3c90 (diff) | |
| download | ansible-30662bedadda1cc00efb1946e8f75c5b9fb42d66.tar.gz | |
Only print warning when ansible.cfg is actually skipped (#43583)
Only print warning when ansible.cfg is actually skipped
* Also add unittests for the find_ini_config_file function
* Add documentation on world writable current working directory
config files can no longer be loaded from a world writable current
working directory but the end user is allowed to specify that
explicitly. Give appropriate warnings and information on how.
Fixes #42388
Diffstat (limited to 'docs/templates')
| -rw-r--r-- | docs/templates/config.rst.j2 | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/docs/templates/config.rst.j2 b/docs/templates/config.rst.j2 index cf5baaf4ee..bc6c71713f 100644 --- a/docs/templates/config.rst.j2 +++ b/docs/templates/config.rst.j2 @@ -40,6 +40,40 @@ Ansible will process the above list and use the first file found, all others are inventory = /etc/ansible/hosts ; This points to the file that lists your hosts +.. _cfg_in_world_writable_dir: + +Avoiding security risks with ``ansible.cfg`` in the current directory +--------------------------------------------------------------------- + + +If Ansible were to load :file:ansible.cfg from a world-writable current working +directory, it would create a serious security risk. Another user could place +their own config file there, designed to make Ansible run malicious code both +locally and remotely, possibly with elevated privileges. For this reason, +Ansible will not automatically load a config file from the current working +directory if the directory is world-writable. + +If you depend on using Ansible with a config file in the current working +directory, the best way to avoid this problem is to restrict access to your +Ansible directories to particular user(s) and/or group(s). If your Ansible +directories live on a filesystem which has to emulate Unix permissions, like +Vagrant or Windows Subsystem for Linux (WSL), you may, at first, not know how +you can fix this as ``chmod``, ``chown``, and ``chgrp`` might not work there. +In most of those cases, the correct fix is to modify the mount options of the +filesystem so the files and directories are readable and writable by the users +and groups running Ansible but closed to others. For more details on the +correct settings, see: + +* for Vagrant, Jeremy Kendall's `blog post <http://jeremykendall.net/2013/08/09/vagrant-synced-folders-permissions/>`_ covers synced folder permissions. +* for WSL, the `WSL docs <https://docs.microsoft.com/en-us/windows/wsl/wsl-config#set-wsl-launch-settings>`_ + and this `Microsoft blog post <https://blogs.msdn.microsoft.com/commandline/2018/01/12/chmod-chown-wsl-improvements/>`_ cover mount options. + +If you absolutely depend on having the config live in a world-writable current +working directory, you can explicitly specify the config file via the +:envvar:`ANSIBLE_CONFIG` environment variable. Please take +appropriate steps to mitigate the security concerns above before doing so. + + Common Options ============== |