How to create an unprivileged user and intialize its GPG config?

Gabriel_Birke · February 9, 2017, 5:07pm

I’d like to create a user and import a GPG key into its GPG keychain. I thought the easiest way to do this would be to impersonate him, so the configuration and key files created by the gpg tool have the right onwership and permissions. My playbook steps look like this:

name: Create backup user
user: name={{ backup_user }} groups={{ backup_group }} append=yes
name: Copy public key
copy:
src: files/some_public_key.asc
dest: /home/{{ backup_user}}/some_public_key.asc
owner: “{{ backup_user }}”
name: Import public key
shell: gpg --import /home/{{ backup_user}}/some_public_key.asc
chdir: /home/{{ backup_user}}/
become: yes
become_user: “{{ backup_user }}”

However, I’m getting a “Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user” error message.

As a workaround I could call the gpg command a s a privileged user and later change the ownership of the .gnupg directory, but that feels kind of odd. Is there a better way to do this?

Johannes_Kastl · February 9, 2017, 5:58pm

Instead of becoming this user, can you already log in as this user at
this point in time? Then setting the ansible_user variable to the
username and setting become to no would get ansible to log in as this
user directly.

But maybe you have not setup any kind of ssh authentication at this
point, so this might not be possible...

Johannes

Kai_Stian_Olstad · February 9, 2017, 7:41pm

This page describe you alternatives
https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user

Gabriel_Birke · February 10, 2017, 9:14am

I’ve read the ways to resolve this, but I’m still struggling:

setfacl is available on the machine (in /usr/bin) and I’m using Ansible 2.2, so theoretically my playbook should work. Is there any way to check why it fails?
The docs say “In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.” I guess this is only true for root and not for any privileged user?

Kai_Stian_Olstad · February 11, 2017, 9:52am

One thing is to have setfacl installed, but have you enabled acl on the filesystem?

Topic		Replies	Views
remote user and become_user is different, after ssh, become_user should work. Ansible Project	3	7	June 29, 2018
Ansible become_user failing while logging-in as vagrant user Ansible Project	5	2	June 22, 2020
Permissions on files created with become Get Help playbook , ansible-core	5	55	November 27, 2024
user creation with sudo permissions Ansible Project	2	2	February 14, 2017
Ansible unable to run command by becoming other user and using sudo Ansible Project	4	7	May 14, 2020

How to create an unprivileged user and intialize its GPG config?

Related topics