Hello,
i am a new user of ansible and i'm facing an issue to copy files with
unprivilegied user (becom_user method).
I investigated a little bit and i think it might be a bug. Can you please
take a look and tell me what you think about that ?
First, i tried this play:
*- name : Copy the JDK and Weblogic Installation files to ORACLE_HOME
become: yes become_user: weblogic tags: app,cpbinaries copy: src: "{{
item }}" dest: "{{ oracle_home }}" mode: 0755 with_items: -
"fmw_12.2.1.3.0_wls.jar" - "server-jre-8u202-solaris-x64.tar.gz" -
"oraInst.loc" - "install.file" - "DemoIdentity.jks"*
and i get this error :
*fatal: [solarisA]: FAILED! => { "msg": "Failed to get information on
remote file (/opt/oracle): Shared connection to solarisa closed.\r\n"}*
so i switched to debug mode to detail all steps :
*1 - Ansible creates remote temporaries directories*
*<solarisB> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o
KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=10 -o
ControlPath=/home/ansible/.ansible/cp/bc112b7c2e solarisB '/bin/sh -c
'"'"'( umask 77 && mkdir -p "` echo
/var/tmp/ansible-tmp-1568504245.1231182-74525082315384 `" && echo
ansible-tmp-1568504245.1231182-74525082315384="` echo
/var/tmp/ansible-tmp-1568504245.1231182-74525082315384 `" ) && sleep
0'"'"''*
In this "become unprevilieged" context ansible creates his remote_tmp
directory on /var/tmp which have permissive permissions and is world
read-write-excutable.
*2 - Ansible puts via sftp his python script:*
*<solarisB> (0, b'sftp> put
/home/ansible/.ansible/tmp/ansible-local-614inxzagl8/tmpz32je0t9
/var/tmp/ansible-tmp-x.1231182-74525082315384/AnsiballZ_stat.py\n', b'')*
this script needs to be executed by the unprivileged user (in this case
weblogic), so setfacl is used to define extra acl for weblogic user (r-x)
for directory and python script.
*3 - Ansible sets special ACL**:*
*<solarisB> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o
KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=10 -o
ControlPath=/home/ansible/.ansible/cp/bc112b7c2e solarisB '/bin/sh -c
'"'"'setfacl -m u:weblogic:r-x
/var/tmp/ansible-tmp-1568504245.1231182-74525082315384/
/var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py &&
sleep 0'"'"''*
*4 - Ansible executes his scripts with the "become_user" and here comes the
issue**:*
*<solarisB> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o
KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=10 -o
ControlPath=/home/ansible/.ansible/cp/bc112b7c2e -tt solarisB '/bin/sh -c
'"'"'sudo -H -S -n -u weblogic /bin/sh -c '"'"'"'"'"'"'"'"'echo
BECOME-SUCCESS-yphzzwuikysosecwybnqdmhqlrteqtqo ; /usr/bin/python
/var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py'"'"'"'"'"'"'"'"'
&& sleep 0'"'"''*
*<solarisB> (2, b"/usr/bin/python: can't open file
'/var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py':
[Errno 13] Permission denied\r\n", b'Shared connection to solarisb
closed.\r\n')*
Checking of tmp files on the remote host reveals that acls are setted as
expected. It explains also why permission still denied.
Below the output of the getfacl command on both directory and file created
by ansible :
*bash-3.2# getfacl /var/tmp/ansible-tmp-1568576958.2552567-161485945290729*
>
> *# file: /var/tmp/ansible-tmp-1568576958.2552567-161485945290729*
> *# owner: ansible*
> *# group: ansible*
> *user::rwx*
> *user:weblogic:r-x #effective:---*
> *group::--- #effective:---*
> *mask:---*
> *other:---*
>
*bash-3.2# getfacl
> /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py*
>
> *# file:
> /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py*
> *# owner: ansible*
> *# group: ansible*
> *user::rw-*
> *user:weblogic:r-x #effective:---*
> *group::--- #effective:---*
> *mask:---*
> *other:---*
>
mask:--- defines maximum permissions allow for users, so weblogic have no
rights (#effective)
this value is set when file or directory are created. By default it is
value of the group, in my case is group::--- so mask value is : mask:---.
man of setfacl inform about -r option :
-r Recalculates the permissions for the ACL
> mask entry. The permissions specified in
> the ACL mask entry are ignored and
> replaced by the maximum permissions neces-
> sary to grant the access to all additional
> user, file group owner, and additional
> group entries in the ACL. The permissions
> in the additional user, file group owner,
> and additional group entries are left
> unchanged.
>
I tried to modify ansible's code to add this option :
*in /lib/ansible/plugins/shell/__init__.py*
def set_user_facl(self, paths, user, mode):
"""Only sets acls for users as that's really all we need"""
cmd = ['setfacl', '-r', '-m', 'u:%s:%s' % (user, mode)]
cmd.extend(paths)
cmd = [shlex_quote(c) for c in cmd]
i reran playbook and task ended successfully.ansible-playbook 2.8.5
In documentation i see an 'allow_world_readable_tmpfiles' option but from
what i understant it's only active when ansible can't set correct rights.
In my case it seems that ansible doesn't catch any errors to this level and
doesn't try to chmod his files.
Is there an option permitting to choose how ansible set rights in his
remote temporary directories ?
------------------------------
*Ansible/Python version :*
*ansible-playbook 2.8.5*
*python version = 3.6.8 (default, Apr 25 2019, 21:02:35) [GCC 4.8.5
20150623 (Red Hat 4.8.5-36)]*
*Host remote :*
*bash-3.2$ uname -aSunOS solarisA 5.10 Generic_147148-26 i86pc i386 i86pc*
------------------------------
Regards
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/d45c8e06-c6c6-4a5b-aad6-f44db67c80c4%40googlegroups.com.
