Hello,
Please correct me if I am wrong…
The playbooks are interpreted by the Ansible Control machine, and made into scripts that are copied over to the clients on a random location in ${HOME}/.ansible/tmp (I think), and then executed.
Is there a way to predict this randomness? or use a fixed path? Or create a symlink to the script that needs to be executed?
The reason I’m asking is that we have an environment setup with powerbroker, which doesn’t allow a lot of deviation from standard policies. And Wildcard policies are not tolerated (as far as I can tell).
Thanks in advance,
Will.
Disclaimer
I'm not sure that would be too helpful as a strict policy stops being
strict when it allows you to execute code that you can rewrite
underneath it. That is why most of these policies allow you to execute
specific binaries that you cannot change (/bin /usr/bin, etc and
everything inside are normally owned by root).
For example, you allow me to execute /home/myuser/.ansible/script1.py,
if i can rewrite script1.py to 'rm -rf /' it defeats the purpose of a
strict policy.
I agree with what you say here, but it’s difficult to get exceptions on existing policies.
So I was hoping if there was some predictability to this.
none built in, it is partially a security feature so others cannot
change the files under you between the copy and the execution.