When is it unsafe to bulk-set task arguments from a variable?

1.	When is it unsafe to bulk-set task arguments from a variable?
Answer» All of the TASK's ARGUMENTS can be dictionary-typed variables which can be useful in some dynamic EXECUTION scenarios also. However, Ansible issues a warning SINCE it introduces a security risk. vars: usermod_args:name: testuserstate: presentupdate_password: alwaystasks:- user: '{{ usermod_args }}' In the above example, the values passed to the variable usermod_args could be overwritten by some other malicious values in the HOST facts on a compromised target machine. To avoid this bulk variable precedence should be greater than host facts. need to disable INJECT_FACTS_AS_VARS configuration to avoid collision of fact values with variables.

Answer»

All of the TASK's ARGUMENTS can be dictionary-typed variables which can be useful in some dynamic EXECUTION scenarios also. However, Ansible issues a warning SINCE it introduces a security risk.

vars: usermod_args:name: testuserstate: presentupdate_password: alwaystasks:- user: '{{ usermod_args }}'

In the above example, the values passed to the variable usermod_args could be overwritten by some other malicious values in the HOST facts on a compromised target machine. To avoid this

bulk variable precedence should be greater than host facts.
need to disable INJECT_FACTS_AS_VARS configuration to avoid collision of fact values with variables.

Discussion

No Comment Found

Related InterviewSolutions

How can we delegate tasks in Ansible?
Explain Ansible register.
When is it unsafe to bulk-set task arguments from a variable?
How is the Ansible set_fact module different from vars, vars_file, or include_var?
How does the Ansible firewalld module work?
How does Ansible synchronize module works?

When is it unsafe to bulk-set task arguments from a variable?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment