Permissions problem when copying file to a Solaris 10 host remote with unprivileged user
118 views
Skip to first unread message
Sur Veillor
Sep 16, 2019, 5:28:10 PM9/16/19
to Ansible Project
Hello,
i am a new user of ansible and i'm facing an issue to copy files with unprivilegied user (becom_user method).
I investigated a little bit and i think it might be a bug. Can you please take a look and tell me what you think about that ?
First, i tried this play:
- name : Copy the JDK and Weblogic Installation files to ORACLE_HOME
become: yes
become_user: weblogic
tags: app,cpbinaries
copy:
src: "{{ item }}"
dest: "{{ oracle_home }}"
mode: 0755
with_items:
- "fmw_12.2.1.3.0_wls.jar"
- "server-jre-8u202-solaris-x64.tar.gz"
- "oraInst.loc"
- "install.file"
- "DemoIdentity.jks"
become: yes
become_user: weblogic
tags: app,cpbinaries
copy:
src: "{{ item }}"
dest: "{{ oracle_home }}"
mode: 0755
with_items:
- "fmw_12.2.1.3.0_wls.jar"
- "server-jre-8u202-solaris-x64.tar.gz"
- "oraInst.loc"
- "install.file"
- "DemoIdentity.jks"
and i get this error :
fatal: [solarisA]: FAILED! => {
"msg": "Failed to get information on remote file (/opt/oracle): Shared connection to solarisa closed.\r\n"
}
"msg": "Failed to get information on remote file (/opt/oracle): Shared connection to solarisa closed.\r\n"
}
so i switched to debug mode to detail all steps :
1 - Ansible creates remote temporaries directories
<solarisB> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/bc112b7c2e solarisB '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1568504245.1231182-74525082315384 `" && echo ansible-tmp-1568504245.1231182-74525082315384="` echo /var/tmp/ansible-tmp-1568504245.1231182-74525082315384 `" ) && sleep 0'"'"''
In this "become unprevilieged" context ansible creates his remote_tmp directory on /var/tmp which have permissive permissions and is world read-write-excutable.
2 - Ansible puts via sftp his python script:
<solarisB> (0, b'sftp> put /home/ansible/.ansible/tmp/ansible-local-614inxzagl8/tmpz32je0t9 /var/tmp/ansible-tmp-x.1231182-74525082315384/AnsiballZ_stat.py\n', b'')
this script needs to be executed by the unprivileged user (in this case weblogic), so setfacl is used to define extra acl for weblogic user (r-x) for directory and python script.
3 - Ansible sets special ACL:
<solarisB> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/bc112b7c2e solarisB '/bin/sh -c '"'"'setfacl -m u:weblogic:r-x /var/tmp/ansible-tmp-1568504245.1231182-74525082315384/ /var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py && sleep 0'"'"''
4 - Ansible executes his scripts with the "become_user" and here comes the issue:
<solarisB> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/bc112b7c2e -tt solarisB '/bin/sh -c '"'"'sudo -H -S -n -u weblogic /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-yphzzwuikysosecwybnqdmhqlrteqtqo ; /usr/bin/python /var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
<solarisB> (2, b"/usr/bin/python: can't open file '/var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py': [Errno 13] Permission denied\r\n", b'Shared connection to solarisb closed.\r\n')
Checking of tmp files on the remote host reveals that acls are setted as expected. It explains also why permission still denied.
Below the output of the getfacl command on both directory and file created by ansible :
mask:--- defines maximum permissions allow for users, so weblogic have no rights (#effective)
this value is set when file or directory are created. By default it is value of the group, in my case is group::--- so mask value is : mask:---.
bash-3.2# getfacl /var/tmp/ansible-tmp-1568576958.2552567-161485945290729
# file: /var/tmp/ansible-tmp-1568576958.2552567-161485945290729
# owner: ansible
# group: ansible
user::rwx
user:weblogic:r-x #effective:---
group::--- #effective:---
mask:---
other:---
bash-3.2# getfacl /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py
# file: /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py
# owner: ansible
# group: ansible
user::rw-
user:weblogic:r-x #effective:---
group::--- #effective:---
mask:---
other:---
mask:--- defines maximum permissions allow for users, so weblogic have no rights (#effective)
this value is set when file or directory are created. By default it is value of the group, in my case is group::--- so mask value is : mask:---.
man of setfacl inform about -r option :
-r Recalculates the permissions for the ACL
mask entry. The permissions specified in
the ACL mask entry are ignored and
replaced by the maximum permissions neces-
sary to grant the access to all additional
user, file group owner, and additional
group entries in the ACL. The permissions
in the additional user, file group owner,
and additional group entries are left
unchanged.
I tried to modify ansible's code to add this option :
in /lib/ansible/plugins/shell/__init__.py
def set_user_facl(self, paths, user, mode):
"""Only sets acls for users as that's really all we need"""
cmd = ['setfacl', '-r', '-m', 'u:%s:%s' % (user, mode)]
cmd.extend(paths)
cmd = [shlex_quote(c) for c in cmd]
i reran playbook and task ended successfully.ansible-playbook 2.8.5
"""Only sets acls for users as that's really all we need"""
cmd = ['setfacl', '-r', '-m', 'u:%s:%s' % (user, mode)]
cmd.extend(paths)
cmd = [shlex_quote(c) for c in cmd]
i reran playbook and task ended successfully.ansible-playbook 2.8.5
In documentation i see an 'allow_world_readable_tmpfiles' option but from what i understant it's only active when ansible can't set correct rights. In my case it seems that ansible doesn't catch any errors to this level and doesn't try to chmod his files.
Is there an option permitting to choose how ansible set rights in his remote temporary directories ?
------------------------------
Ansible/Python version :
ansible-playbook 2.8.5
python version = 3.6.8 (default, Apr 25 2019, 21:02:35) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
Host remote :
bash-3.2$ uname -a
SunOS solarisA 5.10 Generic_147148-26 i86pc i386 i86pc
------------------------------
SunOS solarisA 5.10 Generic_147148-26 i86pc i386 i86pc
------------------------------
Regards
Vladimir Botka
Sep 16, 2019, 11:26:48 PM9/16/19
to Sur Veillor, ansible...@googlegroups.com
On Mon, 16 Sep 2019 14:28:10 -0700 (PDT)
Sur Veillor <mail.su...@gmail.com> wrote:
> [...]
> *4 - Ansible executes his scripts with the "become_user" and here comes the
> issue**:*
> [...]
> *<solarisB> (2, b"/usr/bin/python: can't open file
> >
> > *# file: /var/tmp/ansible-tmp-1568576958.2552567-161485945290729*
> > *# owner: ansible*
> > *# group: ansible*
> > *user::rwx*
> > *user:weblogic:r-x #effective:---*
> > *group::--- #effective:---*
> > *mask:---*
> > *other:---*
> >
>
>
> *bash-3.2# getfacl
> > /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py*
> >
> > *# file:
> > /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py*
> > *# owner: ansible*
> > *# group: ansible*
> > *user::rw-*
> > *user:weblogic:r-x #effective:---*
> > *group::--- #effective:---*
> > *mask:---*
> > *other:---*
Failure running command as non privileged user #16052
https://github.com/ansible/ansible/issues/16052
Indeed, "setfacl" is missing the read permission "-r". You might want to
create a pull request
https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/shell/__init__.py
As a side-note. This article explains the current situation
https://jpmens.net/2019/06/21/i-care-about-ansible/
Thank you,
-vlado
Sur Veillor <mail.su...@gmail.com> wrote:
> [...]
> *4 - Ansible executes his scripts with the "become_user" and here comes the
> issue**:*
> [...]
> *<solarisB> (2, b"/usr/bin/python: can't open file
> '/var/tmp/ansible-tmp-1568504245.1231182-74525082315384/AnsiballZ_stat.py':
> [Errno 13] Permission denied\r\n", b'Shared connection to solarisb
> closed.\r\n')*
> [Errno 13] Permission denied\r\n", b'Shared connection to solarisb
>
> Checking of tmp files on the remote host reveals that acls are setted as
> expected. It explains also why permission still denied.
>
> Below the output of the getfacl command on both directory and file created
> by ansible :
>
> *bash-3.2# getfacl /var/tmp/ansible-tmp-1568576958.2552567-161485945290729*
> Checking of tmp files on the remote host reveals that acls are setted as
> expected. It explains also why permission still denied.
>
> Below the output of the getfacl command on both directory and file created
> by ansible :
>
> >
> > *# file: /var/tmp/ansible-tmp-1568576958.2552567-161485945290729*
> > *# owner: ansible*
> > *# group: ansible*
> > *user::rwx*
> > *user:weblogic:r-x #effective:---*
> > *group::--- #effective:---*
> > *mask:---*
> > *other:---*
> >
>
>
> *bash-3.2# getfacl
> > /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py*
> >
> > *# file:
> > /var/tmp/ansible-tmp-1568576958.2552567-161485945290729/AnsiballZ_stat.py*
> > *# owner: ansible*
> > *# group: ansible*
> > *user::rw-*
> > *user:weblogic:r-x #effective:---*
> > *group::--- #effective:---*
> > *mask:---*
> > *other:---*
> >
>
>
> mask:--- defines maximum permissions allow for users, so weblogic have no
> rights (#effective)
> this value is set when file or directory are created. By default it is
> value of the group, in my case is group::--- so mask value is : mask:---.
>
> man of setfacl inform about -r option :
>
> -r Recalculates the permissions for the ACL
> > mask entry. The permissions specified in
> > the ACL mask entry are ignored and
> > replaced by the maximum permissions neces-
> > sary to grant the access to all additional
> > user, file group owner, and additional
> > group entries in the ACL. The permissions
> > in the additional user, file group owner,
> > and additional group entries are left
> > unchanged.
> >
>
> I tried to modify ansible's code to add this option :
>
> *in /lib/ansible/plugins/shell/__init__.py*
>
>
> mask:--- defines maximum permissions allow for users, so weblogic have no
> rights (#effective)
> this value is set when file or directory are created. By default it is
> value of the group, in my case is group::--- so mask value is : mask:---.
>
> man of setfacl inform about -r option :
>
> -r Recalculates the permissions for the ACL
> > mask entry. The permissions specified in
> > the ACL mask entry are ignored and
> > replaced by the maximum permissions neces-
> > sary to grant the access to all additional
> > user, file group owner, and additional
> > group entries in the ACL. The permissions
> > in the additional user, file group owner,
> > and additional group entries are left
> > unchanged.
> >
>
> I tried to modify ansible's code to add this option :
>
>
> def set_user_facl(self, paths, user, mode):
> """Only sets acls for users as that's really all we need"""
> cmd = ['setfacl', '-r', '-m', 'u:%s:%s' % (user, mode)]
> cmd.extend(paths)
> cmd = [shlex_quote(c) for c in cmd]
>
> i reran playbook and task ended successfully.ansible-playbook 2.8.5
>
> In documentation i see an 'allow_world_readable_tmpfiles' option but from
> what i understant it's only active when ansible can't set correct rights.
> In my case it seems that ansible doesn't catch any errors to this level and
> doesn't try to chmod his files.
> Is there an option permitting to choose how ansible set rights in his
> remote temporary directories ?
No. There is no such option. It seems that you've fixed the issue
> def set_user_facl(self, paths, user, mode):
> """Only sets acls for users as that's really all we need"""
> cmd = ['setfacl', '-r', '-m', 'u:%s:%s' % (user, mode)]
> cmd.extend(paths)
> cmd = [shlex_quote(c) for c in cmd]
>
> i reran playbook and task ended successfully.ansible-playbook 2.8.5
>
> In documentation i see an 'allow_world_readable_tmpfiles' option but from
> what i understant it's only active when ansible can't set correct rights.
> In my case it seems that ansible doesn't catch any errors to this level and
> doesn't try to chmod his files.
> Is there an option permitting to choose how ansible set rights in his
> remote temporary directories ?
Failure running command as non privileged user #16052
https://github.com/ansible/ansible/issues/16052
Indeed, "setfacl" is missing the read permission "-r". You might want to
create a pull request
https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/shell/__init__.py
As a side-note. This article explains the current situation
https://jpmens.net/2019/06/21/i-care-about-ansible/
Thank you,
-vlado
Vladimir Botka
Sep 17, 2019, 4:46:41 AM9/17/19
to Sur Veillor, ansible...@googlegroups.com
> man of setfacl inform about -r option :
>
> -r Recalculates the permissions for the ACL
> > mask entry. The permissions specified in
> > the ACL mask entry are ignored and
> > replaced by the maximum permissions neces-
> > sary to grant the access to all additional
> > user, file group owner, and additional
> > group entries in the ACL. The permissions
> > in the additional user, file group owner,
> > and additional group entries are left
> > unchanged.
> >
>
> I tried to modify ansible's code to add this option :
>
> *in /lib/ansible/plugins/shell/__init__.py*
>
> -r Recalculates the permissions for the ACL
> > mask entry. The permissions specified in
> > the ACL mask entry are ignored and
> > replaced by the maximum permissions neces-
> > sary to grant the access to all additional
> > user, file group owner, and additional
> > group entries in the ACL. The permissions
> > in the additional user, file group owner,
> > and additional group entries are left
> > unchanged.
> >
>
> I tried to modify ansible's code to add this option :
>
>
> def set_user_facl(self, paths, user, mode):
> """Only sets acls for users as that's really all we need"""
> cmd = ['setfacl', '-r', '-m', 'u:%s:%s' % (user, mode)]
> cmd.extend(paths)
> cmd = [shlex_quote(c) for c in cmd]
>
>
> i reran playbook and task ended successfully.ansible-playbook 2.8.5
setfacl "-r" option is not available in Linux. Linux man setfacl says
> def set_user_facl(self, paths, user, mode):
> """Only sets acls for users as that's really all we need"""
> cmd = ['setfacl', '-r', '-m', 'u:%s:%s' % (user, mode)]
> cmd.extend(paths)
> cmd = [shlex_quote(c) for c in cmd]
>
>
> i reran playbook and task ended successfully.ansible-playbook 2.8.5
-n, --no-mask
Do not recalculate the effective rights mask. The default behavior
of setfacl is to recalculate the ACL mask entry, unless a mask
entry was explicitly given. The mask entry is set to the union of
all permissions of the owning group, and all named user and group
entries. (These are exactly the entries affected by the mask entry).
--mask
Do recalculate the effective rights mask, even if an ACL mask
entry was explicitly given. (See the -n option.)
FWIW, "Solaris Working Group" might be interested to learn about it
https://github.com/ansible/community/wiki/Solaris
Cheers,
-vlado
Sur Veillor
Sep 17, 2019, 8:29:06 AM9/17/19
to Ansible Project
Le mardi 17 septembre 2019 10:46:41 UTC+2, Vladimir Botka a écrit :
setfacl "-r" option is not available in Linux. Linux man setfacl says
-n, --no-mask
Do not recalculate the effective rights mask. The default behavior
of setfacl is to recalculate the ACL mask entry, unless a mask
entry was explicitly given. The mask entry is set to the union of
all permissions of the owning group, and all named user and group
entries. (These are exactly the entries affected by the mask entry).
--mask
Do recalculate the effective rights mask, even if an ACL mask
entry was explicitly given. (See the -n option.)
FWIW, "Solaris Working Group" might be interested to learn about it
https://github.com/ansible/community/wiki/Solaris
Cheers,
-vlado
Indeed, I checked the setfacl options on another distribution and they are not the same.
Thank you Vladimir for your response and the links you have posted.
Vladimir Botka
Sep 17, 2019, 10:11:29 AM9/17/19
to Sur Veillor, ansible...@googlegroups.com
On Tue, 17 Sep 2019 05:29:05 -0700 (PDT)
Sur Veillor <mail.su...@gmail.com> wrote:
> > setfacl "-r" option is not available in Linux. Linux man setfacl says
Sur Veillor <mail.su...@gmail.com> wrote:
> > setfacl "-r" option is not available in Linux. Linux man setfacl says
> > FWIW, "Solaris Working Group" might be interested to learn about it
> > https://github.com/ansible/community/wiki/Solaris
> >
> > https://github.com/ansible/community/wiki/Solaris
> >
> Indeed, I checked the setfacl options on another distribution and they are
> not the same.
You've probably found out, but just to be sure, "pipelining" could help
> not the same.
meanwhile
https://docs.ansible.com/ansible/latest/user_guide/become.html#becoming-an-unprivileged-user
0 new messages