Make sure umask is set restrictively before creating any vault files

lib/ansible/utils/vault.py

@@ -189,6 +189,7 @@ class VaultEditor(object):
             raise errors.AnsibleError("%s exists, please use 'edit' instead" % self.filename)
 
         # drop the user into vim on file
+        old_umask = os.umask(0077)
         EDITOR = os.environ.get('EDITOR','vim')
         call([EDITOR, self.filename])
         tmpdata = self.read_data(self.filename)
@@ -196,6 +197,7 @@ class VaultEditor(object):
         this_vault.cipher_name = self.cipher_name
         enc_data = this_vault.encrypt(tmpdata)
         self.write_data(enc_data, self.filename)
+        os.umask(old_umask)
 
     def decrypt_file(self):
 
@@ -218,6 +220,9 @@ class VaultEditor(object):
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH:
             raise errors.AnsibleError(CRYPTO_UPGRADE)
 
+        # make sure the umask is set to a sane value
+        old_mask = os.umask(0077)
+
         # decrypt to tmpfile
         tmpdata = self.read_data(self.filename)
         this_vault = VaultLib(self.password)
@@ -243,6 +248,9 @@ class VaultEditor(object):
         # shuffle tmp file into place
         self.shuffle_files(tmp_path, self.filename)
 
+        # and restore the old umask
+        os.umask(old_mask)
+
     def encrypt_file(self):
 
         if not HAS_AES or not HAS_COUNTER or not HAS_PBKDF2 or not HAS_HASH: