security implications of: local_action: shell command {{ fact_var }}
78 views
Skip to first unread message
nusenu
Jan 23, 2016, 1:54:42 PM1/23/16
to Ansible Project
Hi,
similar to a previous question [1] that was answered by Brian I'm
wondering if the following example gives the remote server remote
command execution privileges on the ansible host (which obviously no one
wants):
local_action: shell cat {{ fact123 }}
Is that a bad idea?
Can the remote server do a 'rm -rf /home' by providing
"/etc/passwd; rm -rf /home"
as the content of fact123
From Brian's previous answer[1]:
> - the fact variables (what ansible_all_ipv4_addresses is) are
> sanitized against template injection but not verified against
> directories,
Does that sanitization also prevent shell cli injection (above example)?
thanks!
[1]
https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mKHaCvD7LOJJZJEMvWJkaij39ani%2BPcd36yFmMoWCeyw%40mail.gmail.com
similar to a previous question [1] that was answered by Brian I'm
wondering if the following example gives the remote server remote
command execution privileges on the ansible host (which obviously no one
wants):
local_action: shell cat {{ fact123 }}
Is that a bad idea?
Can the remote server do a 'rm -rf /home' by providing
"/etc/passwd; rm -rf /home"
as the content of fact123
From Brian's previous answer[1]:
> - the fact variables (what ansible_all_ipv4_addresses is) are
> sanitized against template injection but not verified against
> directories,
Does that sanitization also prevent shell cli injection (above example)?
thanks!
[1]
https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mKHaCvD7LOJJZJEMvWJkaij39ani%2BPcd36yFmMoWCeyw%40mail.gmail.com
Brian Coca
Jan 23, 2016, 2:00:40 PM1/23/16
to Ansible Project
No, Ansible can only protect you so much, like in normal shell, you
really want to quote variable input:
`cat "{{fact123}}"` would work the same as when running a shell script
`cat "$MYVAR"`
--
Brian Coca
really want to quote variable input:
`cat "{{fact123}}"` would work the same as when running a shell script
`cat "$MYVAR"`
--
Brian Coca
nusenu
Jan 23, 2016, 2:12:57 PM1/23/16
to ansible...@googlegroups.com
thanks for your fast reply!
Brian Coca:
So you confirm that my example gives the remote server, remote code
execution on the ansible host, right?
Does using the 'command' module instead of the shell module kill this
entire attack possibility (besides always quoting vars) and would
therefore be a good preference over the shell module?
Brian Coca:
execution on the ansible host, right?
Does using the 'command' module instead of the shell module kill this
entire attack possibility (besides always quoting vars) and would
therefore be a good preference over the shell module?
Reply all
Reply to author
Forward
0 new messages