Ensure get-pip cannot be modified

We don't ensure the permissions of the fetched file on the download location. Sadly /tmp is a known place where users can write files. This is a problem, as a potential race condition could appear, where get-pip is modifiable on /tmp/ folder by another user, leading to privilege escalation. Change-Id: I041db3412e228efe8a0d9a87f4cfba206482c729
2018-08-17 18:17:08 +02:00 · 2018-08-17 18:17:08 +02:00 · 039d884e29
parent 742b0e5744
commit 039d884e29
1 changed files with 3 additions and 1 deletions
--- a/tasks/install_offline.yml
+++ b/tasks/install_offline.yml
@ -21,6 +21,7 @@
        dest: "/tmp/get-pip.py"
        force: "yes"
        validate_certs: "{{ pip_validate_certs }}"
+        mode: "0500"
      register: get_pip_local
      until: get_pip_local is success
      retries: 5
@ -40,7 +41,8 @@
        dest: "/tmp/get-pip.py"
        force: "yes"
        validate_certs: "{{ pip_validate_certs }}"
-      when: get_pip_local  is failed
+        mode: "0500"
+      when: get_pip_local is failed
      register: get_pip_local_fallback
      until: get_pip_local_fallback is success
      retries: 5