From 039d884e29fff2e597fb0660499fd22852c31743 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Evrard <jean-philippe@evrard.me>
Date: Fri, 17 Aug 2018 18:17:08 +0200
Subject: [PATCH] Ensure get-pip cannot be modified

We don't ensure the permissions of the fetched file on the
download location. Sadly /tmp is a known place where users can
write files.

This is a problem, as a potential race condition could appear,
where get-pip is modifiable on /tmp/ folder by another user,
leading to privilege escalation.

Change-Id: I041db3412e228efe8a0d9a87f4cfba206482c729
---
 tasks/install_offline.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tasks/install_offline.yml b/tasks/install_offline.yml
index 80314b5..216eea9 100644
--- a/tasks/install_offline.yml
+++ b/tasks/install_offline.yml
@@ -21,6 +21,7 @@
         dest: "/tmp/get-pip.py"
         force: "yes"
         validate_certs: "{{ pip_validate_certs }}"
+        mode: "0500"
       register: get_pip_local
       until: get_pip_local is success
       retries: 5
@@ -40,7 +41,8 @@
         dest: "/tmp/get-pip.py"
         force: "yes"
         validate_certs: "{{ pip_validate_certs }}"
-      when: get_pip_local  is failed
+        mode: "0500"
+      when: get_pip_local is failed
       register: get_pip_local_fallback
       until: get_pip_local_fallback is success
       retries: 5