/tmp/.ansible/tmp not write-able by all users

[Mike Cavedon]

I changed remote_tmp to /tmp/.ansible/tmp for performance reasons. The directory is created as follows:

[tmp]$ ls -ld .ansible
drwx------ 3 ec2-user ec2-user 4096 Mar  2 09:47 .ansible

When a different user attempts to write to the directory it fails:

"Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /tmp/.ansible/tmp/ansible-tmp-1520002087.57-3211555543948

Shouldn't /tmp/.ansible be created with 766 permission? Am I going to have to chmod /tmp/.ansible in the playbook?

[Mike Cavedon]

Looks like /tmp/.ansible needs to be 777

[Toshio Kuratomi]

If you specify /tmp/.ansible/tmp as the remote_tmp, then you become responsible for ensuring that the correct users have permission to read, write, and search that directory.  Ansible deals with permissions below that directory only.

There was a bug in the 2.5 branch (I believe fixed in the latest rc) where ansible was supposed to revert to the system temp directory when remote_user was unprivileged and become_user was also unprivileged.  What version of ansible are you using? (ansible --version output). That might tell us if this is related to that bug.

-Toshio

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/129d8418-299a-47d4-a975-a4a98fc16d96%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Mike Cavedon]

I think the workaround/solution is to set remote_tmp=/tmp. I prefer remote_tmp to be a subdirectory under /tmp but it looks like that means I will have to deal with permissions which I prefer not to. I'm testing now. Thanks.

On Friday, March 2, 2018 at 10:39:40 AM UTC-5, Toshio Kuratomi wrote:

If you specify /tmp/.ansible/tmp as the remote_tmp, then you become responsible for ensuring that the correct users have permission to read, write, and search that directory.  Ansible deals with permissions below that directory only.

There was a bug in the 2.5 branch (I believe fixed in the latest rc) where ansible was supposed to revert to the system temp directory when remote_user was unprivileged and become_user was also unprivileged.  What version of ansible are you using? (ansible --version output). That might tell us if this is related to that bug.

-Toshio

On Mar 2, 2018 7:17 AM, "Mike Cavedon" <mpc...@gmail.com> wrote:

Looks like /tmp/.ansible needs to be 777

On Friday, March 2, 2018 at 10:09:49 AM UTC-5, Mike Cavedon wrote:

I changed remote_tmp to /tmp/.ansible/tmp for performance reasons. The directory is created as follows:

[tmp]$ ls -ld .ansible
drwx------ 3 ec2-user ec2-user 4096 Mar  2 09:47 .ansible

When a different user attempts to write to the directory it fails:

"Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /tmp/.ansible/tmp/ansible-tmp-1520002087.57-3211555543948

Shouldn't /tmp/.ansible be created with 766 permission? Am I going to have to chmod /tmp/.ansible in the playbook?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.