ansible/CVE-2024-9902.patch

From: Brian Coca <bcoca@users.noreply.github.com>
Date: Mon, 28 Oct 2024 12:47:08 -0400
Subject: CVE-2024-9902 user module avoid chmoding symlink'd home file
 (#83956) (#84081)

also added tests

origin: https://github.com/ansible/ansible/commit/3b5a4319985e1eabe7fc0410bf8308b671f4f586
bug: https://github.com/ansible/ansible/pull/84081
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086883
---
 changelogs/fragments/user_action_fix.yml      |  2 +
 lib/ansible/modules/system/user.py            |  4 +-
 .../targets/user/files/skel/.ssh/known_hosts  |  1 +
 .../user/tasks/test_create_user_home.yml      | 86 +++++++++++++++++++
 4 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/user_action_fix.yml
 create mode 100644 test/integration/targets/user/files/skel/.ssh/known_hosts

diff --git a/changelogs/fragments/user_action_fix.yml b/changelogs/fragments/user_action_fix.yml
new file mode 100644
index 00000000..64ee997d
--- /dev/null
+++ b/changelogs/fragments/user_action_fix.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - user module now avoids changing ownership of files symlinked in provided home dir skeleton
diff --git a/lib/ansible/modules/system/user.py b/lib/ansible/modules/system/user.py
index fd56fc68..9d47425f 100644
--- a/lib/ansible/modules/system/user.py
+++ b/lib/ansible/modules/system/user.py
@@ -1154,7 +1154,9 @@ class User(object):
                 for d in dirs:
                     os.chown(os.path.join(root, d), uid, gid)
                 for f in files:
-                    os.chown(os.path.join(root, f), uid, gid)
+                    full_path = os.path.join(root, f)
+                    if not os.path.islink(full_path):
+                        os.chown(full_path, uid, gid)
         except OSError as e:
             self.module.exit_json(failed=True, msg="%s" % to_native(e))
 
diff --git a/test/integration/targets/user/files/skel/.ssh/known_hosts b/test/integration/targets/user/files/skel/.ssh/known_hosts
new file mode 100644
index 00000000..f5b72a21
--- /dev/null
+++ b/test/integration/targets/user/files/skel/.ssh/known_hosts
@@ -0,0 +1 @@
+test file, not real ssh hosts file
diff --git a/test/integration/targets/user/tasks/test_create_user_home.yml b/test/integration/targets/user/tasks/test_create_user_home.yml
index 1b529f76..3bc1023b 100644
--- a/test/integration/targets/user/tasks/test_create_user_home.yml
+++ b/test/integration/targets/user/tasks/test_create_user_home.yml
@@ -134,3 +134,89 @@
     name: randomuser
     state: absent
     remove: yes
+
+- name: Create user home directory with /dev/null as skeleton, https://github.com/ansible/ansible/issues/75063
+  # create_homedir is mostly used by linux, rest of OSs take care of it themselves via -k option (which fails this task)
+  # OS X actuall breaks since it does not implement getpwnam()
+  when: ansible_system == 'Linux'
+  block:
+    - name: "Create user home directory with /dev/null as skeleton"
+      user:
+        name: withskeleton
+        state: present
+        skeleton: "/dev/null"
+        createhome: yes
+      register: create_user_with_skeleton_dev_null
+  always:
+    - name: "Remove test user"
+      user:
+        name: withskeleton
+        state: absent
+        remove: yes
+
+- name: Create user home directory with skel that contains symlinks
+  tags: symlink_home
+  when: ansible_system == 'Linux'
+  become: True
+  vars:
+    flag: '{{tempdir.path}}/root_flag.conf'
+  block:
+    - name: make tempdir for skel
+      tempfile: state=directory
+      register: tempdir
+
+    - name: create flag file
+      file: path={{flag}} owner=root state=touch
+
+    - name: copy skell to target
+      copy:
+        dest: '{{tempdir.path}}/skel'
+        src: files/skel
+      register: skel
+
+    - name: create the bad symlink
+      file:
+        src: '{{flag}}'
+        dest: '{{tempdir.path}}/skel/should_not_change_own'
+        state: link
+
+    - name: "Create user home directory with skeleton"
+      user:
+        name: withskeleton
+        state: present
+        skeleton: "{{tempdir.path}}/skel"
+        createhome: yes
+        home: /home/missing/withskeleton
+      register: create_user_with_skeleton_symlink
+
+    - name: Check flag
+      stat: path={{flag}}
+      register: test_flag
+
+    - name: ensure we didn't change owner for flag
+      assert:
+        that:
+          - test_flag.stat.uid != create_user_with_skeleton_symlink.uid
+
+  always:
+    - name: "Remove test user"
+      user:
+        name: withskeleton
+        state: absent
+        remove: yes
+
+    - name: get files to delete
+      find: path="{{tempdir.path}}"
+      register: remove
+      when:
+        - tempdir is defined
+        - tempdir is success
+
+    - name: "Remove temp files"
+      file:
+        path: '{{item}}'
+        state: absent
+      loop: "{{remove.files|default([])}}"
+      when:
+        - remove is success
+
-- 
2.47.0
Fix CVE-2024-8775 and CVE-2024-9902 (cherry picked from commit 60aeeac472e63256ee4fc7ccf7a626ac8dd1ea08) 2024-12-02 10:08:46 +08:00			`From: Brian Coca <bcoca@users.noreply.github.com>`
			`Date: Mon, 28 Oct 2024 12:47:08 -0400`
			`Subject: CVE-2024-9902 user module avoid chmoding symlink'd home file`
			`(#83956) (#84081)`

			`also added tests`

			`origin: https://github.com/ansible/ansible/commit/3b5a4319985e1eabe7fc0410bf8308b671f4f586`
			`bug: https://github.com/ansible/ansible/pull/84081`
			`bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086883`
			`---`
			`changelogs/fragments/user_action_fix.yml \| 2 +`
			`lib/ansible/modules/system/user.py \| 4 +-`
			`.../targets/user/files/skel/.ssh/known_hosts \| 1 +`
			`.../user/tasks/test_create_user_home.yml \| 86 +++++++++++++++++++`
			`4 files changed, 92 insertions(+), 1 deletion(-)`
			`create mode 100644 changelogs/fragments/user_action_fix.yml`
			`create mode 100644 test/integration/targets/user/files/skel/.ssh/known_hosts`

			`diff --git a/changelogs/fragments/user_action_fix.yml b/changelogs/fragments/user_action_fix.yml`
			`new file mode 100644`
			`index 00000000..64ee997d`
			`--- /dev/null`
			`+++ b/changelogs/fragments/user_action_fix.yml`
			`@@ -0,0 +1,2 @@`
			`+bugfixes:`
			`+ - user module now avoids changing ownership of files symlinked in provided home dir skeleton`
			`diff --git a/lib/ansible/modules/system/user.py b/lib/ansible/modules/system/user.py`
			`index fd56fc68..9d47425f 100644`
			`--- a/lib/ansible/modules/system/user.py`
			`+++ b/lib/ansible/modules/system/user.py`
			`@@ -1154,7 +1154,9 @@ class User(object):`
			`for d in dirs:`
			`os.chown(os.path.join(root, d), uid, gid)`
			`for f in files:`
			`- os.chown(os.path.join(root, f), uid, gid)`
			`+ full_path = os.path.join(root, f)`
			`+ if not os.path.islink(full_path):`
			`+ os.chown(full_path, uid, gid)`
			`except OSError as e:`
			`self.module.exit_json(failed=True, msg="%s" % to_native(e))`

			`diff --git a/test/integration/targets/user/files/skel/.ssh/known_hosts b/test/integration/targets/user/files/skel/.ssh/known_hosts`
			`new file mode 100644`
			`index 00000000..f5b72a21`
			`--- /dev/null`
			`+++ b/test/integration/targets/user/files/skel/.ssh/known_hosts`
			`@@ -0,0 +1 @@`
			`+test file, not real ssh hosts file`
			`diff --git a/test/integration/targets/user/tasks/test_create_user_home.yml b/test/integration/targets/user/tasks/test_create_user_home.yml`
			`index 1b529f76..3bc1023b 100644`
			`--- a/test/integration/targets/user/tasks/test_create_user_home.yml`
			`+++ b/test/integration/targets/user/tasks/test_create_user_home.yml`
			`@@ -134,3 +134,89 @@`
			`name: randomuser`
			`state: absent`
			`remove: yes`
			`+`
			`+- name: Create user home directory with /dev/null as skeleton, https://github.com/ansible/ansible/issues/75063`
			`+ # create_homedir is mostly used by linux, rest of OSs take care of it themselves via -k option (which fails this task)`
			`+ # OS X actuall breaks since it does not implement getpwnam()`
			`+ when: ansible_system == 'Linux'`
			`+ block:`
			`+ - name: "Create user home directory with /dev/null as skeleton"`
			`+ user:`
			`+ name: withskeleton`
			`+ state: present`
			`+ skeleton: "/dev/null"`
			`+ createhome: yes`
			`+ register: create_user_with_skeleton_dev_null`
			`+ always:`
			`+ - name: "Remove test user"`
			`+ user:`
			`+ name: withskeleton`
			`+ state: absent`
			`+ remove: yes`
			`+`
			`+- name: Create user home directory with skel that contains symlinks`
			`+ tags: symlink_home`
			`+ when: ansible_system == 'Linux'`
			`+ become: True`
			`+ vars:`
			`+ flag: '{{tempdir.path}}/root_flag.conf'`
			`+ block:`
			`+ - name: make tempdir for skel`
			`+ tempfile: state=directory`
			`+ register: tempdir`
			`+`
			`+ - name: create flag file`
			`+ file: path={{flag}} owner=root state=touch`
			`+`
			`+ - name: copy skell to target`
			`+ copy:`
			`+ dest: '{{tempdir.path}}/skel'`
			`+ src: files/skel`
			`+ register: skel`
			`+`
			`+ - name: create the bad symlink`
			`+ file:`
			`+ src: '{{flag}}'`
			`+ dest: '{{tempdir.path}}/skel/should_not_change_own'`
			`+ state: link`
			`+`
			`+ - name: "Create user home directory with skeleton"`
			`+ user:`
			`+ name: withskeleton`
			`+ state: present`
			`+ skeleton: "{{tempdir.path}}/skel"`
			`+ createhome: yes`
			`+ home: /home/missing/withskeleton`
			`+ register: create_user_with_skeleton_symlink`
			`+`
			`+ - name: Check flag`
			`+ stat: path={{flag}}`
			`+ register: test_flag`
			`+`
			`+ - name: ensure we didn't change owner for flag`
			`+ assert:`
			`+ that:`
			`+ - test_flag.stat.uid != create_user_with_skeleton_symlink.uid`
			`+`
			`+ always:`
			`+ - name: "Remove test user"`
			`+ user:`
			`+ name: withskeleton`
			`+ state: absent`
			`+ remove: yes`
			`+`
			`+ - name: get files to delete`
			`+ find: path="{{tempdir.path}}"`
			`+ register: remove`
			`+ when:`
			`+ - tempdir is defined`
			`+ - tempdir is success`
			`+`
			`+ - name: "Remove temp files"`
			`+ file:`
			`+ path: '{{item}}'`
			`+ state: absent`
			`+ loop: "{{remove.files\|default([])}}"`
			`+ when:`
			`+ - remove is success`
			`+`
			`--`
			`2.47.0`