There is some interesting discussion in this LWN subscriber link (https://lwn.net/SubscriberLink/711791/5109edb099f55603/). I'm not sure about posting subscriber-only links, but this was pasted in a well-trafficked IRC channel on Freenode, and LWN seems to want these links spread far and wide as long as it isn't used to subvert their subscription model.
What's the motivation for moving away from Ansible? Just wondering. Puppet and Chef are enormous and brittle in my experience. I've moved previously from Puppet to Chef, and then from Chef to Ansible. I tried Saltstack but it felt similar to Puppet and Chef. Ansible can be slow, but the complexity overhead is minimal comparatively.
Odd. I reported this very same form of vulnerability to the Ansible team in the 1.5.4 series in 2014, where the code basically eval'd the "facts" discovered from a system under management.
There was this "safe_eval" function which filtered input in a way quite inconsistent with its name. The Ansible team was responsive and pleasant to work with.
But I suspect lots of remote control and monitoring software products might have security bugs like this where they assume that the returned information from systems under management are trustworthy.
10 comments
[ 4.7 ms ] story [ 33.2 ms ] threadThere was this "safe_eval" function which filtered input in a way quite inconsistent with its name. The Ansible team was responsive and pleasant to work with.
https://groups.google.com/forum/#!topic/ansible-project/MUQx...
But I suspect lots of remote control and monitoring software products might have security bugs like this where they assume that the returned information from systems under management are trustworthy.
Edit to add: Here's the patch made to safe_eval. I had suggested using literal_eval instead but I think they didn't want to require Python 2.6+. https://github.com/ansible/ansible/commit/998793fd0ab55705d5...