Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 2 May 2015 05:54:33 +0200
From: Michael Scherer <>
Subject: CVE Request / Ansible: insecure permission on a directory when
 using spacewalk inventory


Could a CVE be assigned for this problem :

Ansible inventory script for spacewalk create a file in the current
directory with incorrect permission due to a error in a chmod specification.

In python, os.chmod need to be in octal, and 2755 is not octal. 
So in the end, we manage to have permission like this :


And o+rw and u+s kinda sound bad. The directory is created in $PWD if 
I read the code right, so that's likely the homedir of 1 admin.
However, that's executed locally, or from a bastion, so there
isn't much venue to attack ( even if shared shell server still exist nowadays ),
and this requires to use spacewalk.

I pushed a commit there :

I will wait for a CVE to be assigned before fixing the commit message, and push a 
PR ( cause i am quite bothered when I cannot find the CVE in the commit message)

Michael Scherer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ