ignore ansible.cfg in world writable cwd (#42070)

* ignore ansible.cfg in world writable cwd * also added 'warnings' to config * updated man page template
2026-05-07 05:42:50 +00:00 · 2018-06-29 19:46:10 -04:00
parent de0e11c0d5
commit b6f2aad600
5 changed files with 38 additions and 10 deletions
--- a/lib/ansible/config/manager.py
+++ b/lib/ansible/config/manager.py
@@ -6,6 +6,7 @@ __metaclass__ = type

 import os
 import sys
+import stat
 import tempfile

 import io
@@ -142,7 +143,7 @@ def get_ini_config_value(p, entry):
    return value


-def find_ini_config_file():
+def find_ini_config_file(warnings=None):
    ''' Load INI Config File order(first found is used): ENV, CWD, HOME, /etc/ansible '''
    # FIXME: eventually deprecate ini configs

@@ -152,7 +153,14 @@ def find_ini_config_file():
        if os.path.isdir(path0):
            path0 += "/ansible.cfg"
    try:
-        path1 = os.getcwd() + "/ansible.cfg"
+        path1 = os.getcwd()
+        perms1 = os.stat(path1)
+        if perms1.st_mode & stat.S_IWOTH:
+            if warnings is not None:
+                warnings.add("Ansible is in a world writable directory (%s), ignoring it as an ansible.cfg source." % to_text(path1))
+            path1 = None
+        else:
+            path1 += "/ansible.cfg"
    except OSError:
        path1 = None
    path2 = unfrackpath("~/.ansible.cfg", follow=False)
@@ -171,6 +179,7 @@ class ConfigManager(object):

    UNABLE = {}
    DEPRECATED = []
+    WARNINGS = set()

    def __init__(self, conf_file=None, defs_file=None):

@@ -196,7 +205,7 @@ class ConfigManager(object):

        if self._config_file is None:
            # set config using ini
-            self._config_file = find_ini_config_file()
+            self._config_file = find_ini_config_file(self.WARNINGS)

        # consume configuration
        if self._config_file:
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@@ -17,6 +17,16 @@ from ansible.module_utils.six import string_types
 from ansible.config.manager import ConfigManager, ensure_type, get_ini_config_value


+def _warning(msg):
+    ''' display is not guaranteed here, nor it being the full class, but try anyways, fallback to sys.stderr.write '''
+    try:
+        from __main__ import display
+        display.warning(msg)
+    except:
+        import sys
+        sys.stderr.write(' [WARNING] %s\n' % (msg))
+
+
 def _deprecated(msg, version='2.8'):
    ''' display is not guaranteed here, nor it being the full class, but try anyways, fallback to sys.stderr.write '''
    try:
@@ -24,7 +34,7 @@ def _deprecated(msg, version='2.8'):
        display.deprecated(msg, version=version)
    except:
        import sys
-        sys.stderr.write('[DEPRECATED] %s, to be removed in %s' % (msg, version))
+        sys.stderr.write(' [DEPRECATED] %s, to be removed in %s\n' % (msg, version))


 def mk_boolean(value):
@@ -189,3 +199,6 @@ for setting in config.data.get_settings():
        value = ensure_type(value, setting.type)

    set_constant(setting.name, value)
+
+for warn in config.WARNINGS:
+    _warning(warn)