Ensure get-pip cannot be modified
We don't ensure the permissions of the fetched file on the download location. Sadly /tmp is a known place where users can write files. This is a problem, as a potential race condition could appear, where get-pip is modifiable on /tmp/ folder by another user, leading to privilege escalation. Change-Id: I041db3412e228efe8a0d9a87f4cfba206482c729
This commit is contained in:
parent
742b0e5744
commit
039d884e29
|
@ -21,6 +21,7 @@
|
|||
dest: "/tmp/get-pip.py"
|
||||
force: "yes"
|
||||
validate_certs: "{{ pip_validate_certs }}"
|
||||
mode: "0500"
|
||||
register: get_pip_local
|
||||
until: get_pip_local is success
|
||||
retries: 5
|
||||
|
@ -40,7 +41,8 @@
|
|||
dest: "/tmp/get-pip.py"
|
||||
force: "yes"
|
||||
validate_certs: "{{ pip_validate_certs }}"
|
||||
when: get_pip_local is failed
|
||||
mode: "0500"
|
||||
when: get_pip_local is failed
|
||||
register: get_pip_local_fallback
|
||||
until: get_pip_local_fallback is success
|
||||
retries: 5
|
||||
|
|
Loading…
Reference in New Issue