Don't create world-readable module and tempfiles without explicit user permission

author: Toshio Kuratomi <toshio@fedoraproject.org> 2016-03-21 14:17:53 -0700
committer: Toshio Kuratomi <toshio@fedoraproject.org> 2016-03-23 09:52:19 -0700
commit: 52e9209491dee6a0c63edaa770b8601092248283 (patch)
tree: f28558600abff4567a1e0988571b813182a69a07 /examples/ansible.cfg
parent: 0cabef19ad14d1c4b63da2acd17c2e5ff1d2e7f5 (diff)
download: ansible-52e9209491dee6a0c63edaa770b8601092248283.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/examples/ansible.cfg b/examples/ansible.cfg
index 98657cc062..19913af9aa 100644
--- a/examples/ansible.cfg
+++ b/examples/ansible.cfg
@@ -212,6 +212,14 @@
 # prevents logging of tasks, but only on the targets, data is still logged on the master/controller
 #no_target_syslog = False
 
+# controls whether Ansible will raise an error or warning if a task has no
+# choice but to create world readable temporary files to execute a module on
+# the remote machine.  This option is False by default for security.  Users may
+# turn this on to have behaviour more like Ansible prior to 2.1.x.  See
+# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
+# for more secure ways to fix this than enabling this option.
+#allow_world_readable_tmpfiles = False
+
 # controls the compression level of variables sent to
 # worker processes. At the default of 0, no compression
 # is used. This value must be an integer from 0 to 9.
author	Toshio Kuratomi <toshio@fedoraproject.org>	2016-03-21 14:17:53 -0700
committer	Toshio Kuratomi <toshio@fedoraproject.org>	2016-03-23 09:52:19 -0700
commit	52e9209491dee6a0c63edaa770b8601092248283 (patch)
tree	f28558600abff4567a1e0988571b813182a69a07 /examples/ansible.cfg
parent	0cabef19ad14d1c4b63da2acd17c2e5ff1d2e7f5 (diff)
download	ansible-52e9209491dee6a0c63edaa770b8601092248283.tar.gz