Closed ehelms closed 10 months ago
/tmp/
is set here: https://github.com/theforeman/puppet-foreman_proxy/blob/fbf33227165c56f8077cfba84738941d6133285b/templates/plugin/ansible.env.erb#L3
If we set working_dir
to something more private, we could get away with a stricter rule? (but keep in mind that /tmp/foreman-proxy
might be unwise, if the caller doesn't ensure it's not a symlink to prevent attacks)
Or we could set PrivateTmp in foreman-proxy.service, which would fix this, right?
Or we could set PrivateTmp in foreman-proxy.service, which would fix this, right?
I will have to test this, since it is calling out to Ansible, I do not know if PrivateTmp extends.
Tested and setting PrivateTmp on foreman-proxy
did solve the Cloud Connector invocation issue.
https://github.com/theforeman/smart-proxy/pull/879 was merged and I could run the plugins pipeline, which includes Ansible tests just fine, so I am going to close this one as completed.
These in particular were seen executing the Cloud Connector playbook:
Options: