Permissions on files created with become

on my target system i have 2 accounts:

  • admin that i use to login with. this account can do pretty much anything using sudo
  • system account that has no password and no direct login ability. it is used for the application

i create the system user at terminal using
sudo useradd --system --shell /bin/bash --create-home --home-dir /opt/application application

the ansible equivelant task i have is

    - name: create application system user
      user:
        name: "application"
        system: true
        shell: "/bin/bash"
        create_home: yes
        home: "/opt/application"
      become: yes

the owner and group of the created home directory are correct but the permissions don’t match.
here is the dir created when doing from terminal
drwxr-x---. 11 application application 4096 Oct 7 12:16 application
here is the dir created by ansible
drwx------. 2 application application 62 Oct 24 14:01 application

it is easy enough to fix permissions on one folder but it just goes on and gets worse from there when i install the application in the home directory

i would normally login with my admin account, sudo to the application account, then install the application

[admin@localhost ~]$ sudo -iu application
[sudo] password for admin:
[application@localhost ~]$pip install application

i’ve accomplished that with the following task using ansible.

    - name: install application
      pip:
        name:
          - application
        state: present
        virtualenv: "/opt/application"
        virtualenv_command: "-m venv"
      become: yes
      become_user: "application"

there are a TON of files and directories created when the application installs so trying to update the permissions after the fact is quite burdensome if not impossible.

This is not an Ansible issue. This is a umask issue. Compare your umask settings as the user and then again as root. You’ll see they’re different. You can use the environment attribute with your playbooks to set the umask for your tasks.

1 Like

Have a look at the umask option for the user module:

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html#parameter-umask

btw, that little dot right after the permissions indicates that there is an SELinux security context.
That may or may not interfere later on, but it’s not possible to tell from the information.

2 Likes

This sounds like you are setting a different umask in your interactive session than the non-interactive session has. This is a question of system configuration, not really something that Ansible has control over.

ezekielh@pandora ~ $ umask                                                      
0022                                                                            
ezekielh@pandora ~ $ pip install --user miltertest                    
Collecting miltertest                                                           
  Downloading miltertest-1.0.0-py3-none-any.whl.metadata (872 bytes)            
Downloading miltertest-1.0.0-py3-none-any.whl (23 kB)                           
Installing collected packages: miltertest                                    
Successfully installed miltertest-1.0.0

ezekielh@pandora ~ $ ls -lhd ~/.local/lib/python3.11/site-packages/miltertest
drwxr-xr-x 3 ezekielh staff 97 Oct 24 17:36 /home/ezekielh/.local/lib/python3.11/site-packages/miltertest

ezekielh@pandora ~ $ umask
0077
ezekielh@pandora ~ $ pip install --user miltertest
Collecting miltertest
  Using cached miltertest-1.0.0-py3-none-any.whl.metadata (872 bytes)
Using cached miltertest-1.0.0-py3-none-any.whl (23 kB)
Installing collected packages: miltertest
Successfully installed miltertest-1.0.0

ezekielh@pandora ~ $ ls -lhd ~/.local/lib/python3.11/site-packages/miltertest
drwx------ 3 ezekielh staff 97 Oct 24 17:40 /home/ezekielh/.local/lib/python3.11/site-packages/miltertest
1 Like

thanks. i’m fairly new to linux so i’d never even heard of umask before.
here are the values on my system which is a basic RHEL8 install
root umask 0022
admin umask 0002
application umask 0002

playing around with command: umask i found that running a task as admin gives admin umask of 0002. if i use become the umask becomes that of root (0022) even if i am becoming the application user. using become_flags: "-i" when becoming the application user loads the user profile and gives you the correct umask for that user.

no need to set the umask when creating the new user, that is correct already. as for using the environment option i assume the intent was something like below. this doesn’t error but also doesn’t work. my understanding is that is used for setting env variables which umask doesn’t appear to be. i have used that successfully before with PATH.

    - name: create application system user
      user:
        name: "application"
        system: true
        shell: "/bin/bash"
        create_home: yes
        home: "/opt/application"
      become: yes
      environment:
        umask: '0002'

the pip module does support a umask option that works and become_flags: "-i" also works. thank you all for pointing me in the right direction.