diff options
author | Michael Scherer <misc@zarb.org> | 2016-09-24 18:29:15 +0200 |
---|---|---|
committer | Brian Coca <bcoca@users.noreply.github.com> | 2016-09-26 11:16:22 -0400 |
commit | 362b682f1c20144313fd173baba0b4f0350b3574 (patch) | |
tree | 94534a4bb5c4046363982af1b9b9f83b64f4636c | |
parent | 38b975800db1e686af729db674928c403d93e706 (diff) | |
download | ansible-362b682f1c20144313fd173baba0b4f0350b3574.tar.gz |
Add a umask argument to run_command
In order to avoid problem due to race conditions, it is
required to run umask when generating some sensitive files,
such as a TLS key.
-rw-r--r-- | lib/ansible/module_utils/basic.py | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/ansible/module_utils/basic.py b/lib/ansible/module_utils/basic.py index dda62155ba..34f20214c4 100644 --- a/lib/ansible/module_utils/basic.py +++ b/lib/ansible/module_utils/basic.py @@ -2030,7 +2030,7 @@ class AnsibleModule(object): else: self.fail_json(msg='Could not replace file: %s to %s: %s' % (src, dest, exception)) - def run_command(self, args, check_rc=False, close_fds=True, executable=None, data=None, binary_data=False, path_prefix=None, cwd=None, use_unsafe_shell=False, prompt_regex=None, environ_update=None): + def run_command(self, args, check_rc=False, close_fds=True, executable=None, data=None, binary_data=False, path_prefix=None, cwd=None, use_unsafe_shell=False, prompt_regex=None, environ_update=None, umask=None): ''' Execute a command, returns rc, stdout, and stderr. @@ -2053,6 +2053,7 @@ class AnsibleModule(object): used to detect prompts in the stdout which would otherwise cause the execution to hang (especially if no input data is specified) :kwarg environ_update: dictionary to *update* os.environ with + :kw umask: Umask to be used when running the command. Default None ''' shell = False @@ -2180,6 +2181,10 @@ class AnsibleModule(object): e = get_exception() self.fail_json(rc=e.errno, msg="Could not open %s, %s" % (cwd, str(e))) + old_umask = None + if umask: + old_umask = os.umask(umask) + try: if self._debug: @@ -2253,6 +2258,9 @@ class AnsibleModule(object): else: os.environ[key] = val + if old_umask: + os.umask(old_umask) + if rc != 0 and check_rc: msg = heuristic_log_sanitize(stderr.rstrip(), self.no_log_values) self.fail_json(cmd=clean_args, rc=rc, stdout=stdout, stderr=stderr, msg=msg) |