Hello,
i am a new user of ansible and i’m facing an issue to copy files with unprivilegied user (becom_user method).
I investigated a little bit and i think it might be a bug. Can you please take a look and tell me what you think about that ?
First, i tried this play:
- name : Copy the JDK and Weblogic Installation files to ORACLE_HOME
become: yes
become_user: weblogic
tags: app,cpbinaries
copy:
src: “{{ item }}”
dest: “{{ oracle_home }}”
mode: 0755
with_items:
- “fmw_12.2.1.3.0_wls.jar”
- “server-jre-8u202-solaris-x64.tar.gz”
- “oraInst.loc”
- “install.file”
- “DemoIdentity.jks”
and i get this error :
fatal: [solarisA]: FAILED! => {
“msg”: “Failed to get information on remote file (/opt/oracle): Shared connection to solarisa closed.\r\n”
}
so i switched to debug mode to detail all steps :
1 - Ansible creates remote temporaries directories
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/bc112b7c2e solarisB ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo /var/tmp/ansible-tmp-1568504245.1231182-74525082315384” && echo ansible-tmp-1568504245.1231182-74525082315384=“echo /var/tmp/ansible-tmp-1568504245.1231182-74525082315384” ) && sleep 0’“'”‘’
In this “become unprevilieged” context ansible creates his remote_tmp directory on /var/tmp which have permissive permissions and is world read-write-excutable.
2 - Ansible puts via sftp his python script:
(0, b’sftp> put /home/ansible/.ansible/tmp/ansible-local-614inxzagl8/tmpz32je0t9 /var/tmp/ansible-tmp-x.1231182-74525082315384/AnsiballZ_stat.py\n’, b’')
this script needs to be executed by the unprivileged user (in this case weblogic), so setfacl is used to define extra acl for weblogic user (r-x) for directory and python script.
3 - Ansible sets special ACL**:**
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/bc112b7c2e solarisB ‘/bin/sh -c ‘"’“‘setfacl -m u:weblogic:r-x /var/tmp/ansible-tmp-1568504245.1231182-74525082315384/ /var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py && sleep 0’”’"‘’
4 - Ansible executes his scripts with the “become_user” and here comes the issue:
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/bc112b7c2e -tt solarisB ‘/bin/sh -c ‘"’“'sudo -H -S -n -u weblogic /bin/sh -c '”’“'”‘"’“'”‘"’“‘echo BECOME-SUCCESS-yphzzwuikysosecwybnqdmhqlrteqtqo ; /usr/bin/python /var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py’”‘"’“'”‘"’“'”‘"’ && sleep 0’“'”‘’
(2, b"/usr/bin/python: can’t open file ‘/var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py’: [Errno 13] Permission denied\r\n", b’Shared connection to solarisb closed.\r\n’)
Checking of tmp files on the remote host reveals that acls are setted as expected. It explains also why permission still denied.
Below the output of the getfacl command on both directory and file created by ansible :
bash-3.2# getfacl /var/tmp/ansible-tmp-1568576958.2552567-161485945290729
# file: /var/tmp/ansible-tmp-1568576958.2552567-161485945290729
# owner: ansible
# group: ansible
user::rwx
user:weblogic:r-x #effective:—
group::— #effective:—
mask:—
other:—
bash-3.2# getfacl /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py
# file: /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py
# owner: ansible
# group: ansible
user::rw-
user:weblogic:r-x #effective:—
group::— #effective:—
mask:—
other:—
mask:— defines maximum permissions allow for users, so weblogic have no rights (#effective)
this value is set when file or directory are created. By default it is value of the group, in my case is group::— so mask value is : mask:—.
man of setfacl inform about -r option :
-r Recalculates the permissions for the ACL
mask entry. The permissions specified in
the ACL mask entry are ignored and
replaced by the maximum permissions neces-
sary to grant the access to all additional
user, file group owner, and additional
group entries in the ACL. The permissions
in the additional user, file group owner,
and additional group entries are left
unchanged.
I tried to modify ansible’s code to add this option :
in /lib/ansible/plugins/shell/init.py
def set_user_facl(self, paths, user, mode):
“”“Only sets acls for users as that’s really all we need”“”
cmd = [‘setfacl’, ‘-r’, ‘-m’, ‘u:%s:%s’ % (user, mode)]
cmd.extend(paths)
cmd = [shlex_quote(c) for c in cmd]
i reran playbook and task ended successfully.ansible-playbook 2.8.5
In documentation i see an ‘allow_world_readable_tmpfiles’ option but from what i understant it’s only active when ansible can’t set correct rights. In my case it seems that ansible doesn’t catch any errors to this level and doesn’t try to chmod his files.
Is there an option permitting to choose how ansible set rights in his remote temporary directories ?