Recentemente ho letto di Ansible e del modo in cui gestisce le password sudo. Più in particolare:
When using become_user to a user other than root, the module arguments are briefly written into a random tempfile in /tmp. These are deleted immediately after the command is executed. This only occurs when changing privileges from a user like ‘bob’ to ‘timmy’, not when going from ‘bob’ to ‘root’, or logging in directly as ‘bob’ or ‘root’. If it concerns you that this data is briefly readable (not writable), avoid transferring unencrypted passwords with become_user set. In other cases, /tmp is not used and this does not come into play. Ansible also takes care to not log password parameters.
Non è questo un rischio per la sicurezza? Un utente non privilegiato può scrivere uno script watchdog che annusa il contenuto dei file appena creati nella directory / tmp?