libretic/ansible-sshd
6
0
Fork 0
mirror of https://github.com/willshersystems/ansible-sshd synced 2024-11-22 02:50:18 +01:00
Code Issues Projects Releases Packages Wiki Activity
ansible-sshd/tasks
History
Jakub Jelen d10f2ada11
fix: use quote with command, shell and validate with variable (#298) 
* robustness: quote test backup/restore file names

This avoids issues if file names are not safepaths.

* security: use quote with command, shell and validate with variable

Skip quotation only if variable is checked.

Add test suit to excercise some quote use cases.

* robustness: fail if systemd.unit could have something in need of quote

Ensure systemd.unit contents is robust. This disables possibility to
have something that needs to be quoted there. But as ansible lacks
proper way to quote systemd unit files (see man systemd.syntax, rules
are not shell rules), it is better to fail such configs. If you are
trying to do that, you are doing it wrong anyway or have malicious
intent.

Also ensure similar issue with sysctl.conf.

Issue can be seen with `tests_hostkeys_unsafe_path.yml`, when adding
following to role params:

       sshd_install_service: true
       sshd_config_file: "{{ ansible_facts.env.TMPDIR }}/sshd.d/foo.conf"
       sshd_binary: "{{ ansible_facts.env.TMPDIR }}/sshd"
       __sshd_runtime_directory: "{{ ansible_facts.env.TMPDIR }}/run"

* tests: Quote also the source filename

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

* tests: Add more negative test cases

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

* tests: Skip the test with unsafe TMPDIR as it does not work on CentOS8

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

* Move the variable checks to separate file ...

... and explain better why this is problematic

Drops also the check for internal variables as the user should not
bother with these.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

---------

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Co-authored-by: Markus Linnala <Markus.Linnala@knowit.fi>
2024-09-12 07:24:22 +01:00
..
certificates.yml feat: manage ssh certificates (#252) 2023-09-11 14:39:03 +01:00
check_fips.yml Fix various linting issues 2022-06-03 11:22:17 +01:00
check_vars.yml fix: use quote with command, shell and validate with variable (#298) 2024-09-12 07:24:22 +01:00
find_ports.yml Add whitespace around the filter symbol 2024-01-22 16:41:33 +01:00
firewall.yml Add support for managing selinux and firewall on RHEL 2023-01-13 10:42:40 +01:00
install.yml fix: use quote with command, shell and validate with variable (#298) 2024-09-12 07:24:22 +01:00
install_config.yml fix: use quote with command, shell and validate with variable (#298) 2024-09-12 07:24:22 +01:00
install_namespace.yml fix: use quote with command, shell and validate with variable (#298) 2024-09-12 07:24:22 +01:00
install_service.yml fix: use quote with command, shell and validate with variable (#298) 2024-09-12 07:24:22 +01:00
main.yml tasks: Improve the order of keys and add missing name 2022-12-13 14:13:18 +01:00
selinux.yml Add support for managing selinux and firewall on RHEL 2023-01-13 10:42:40 +01:00
sshd.yml Moves internal non-overridable variables out of defaults 2022-08-23 15:18:41 +02:00
variables.yml feat: support for ostree systems 2023-11-28 09:40:18 -07:00