Impersonating Users on AIX

[Nicholas Santiago]

After getting the hang of running Ansible on our Linux environment, my team has been tasked with getting it going on AIX. In working with our AIX team, we had to get them to set up AIX to support Python 2.7.5 and a more current version of Sudo (now on 1.8.18p1).

Our Ansible controller connects to the ansible user account on the remote AIX host, which has a sudoers entry as follows:

ansible ALL = (ALL) NOPASSWD: ALL,NOSHUTDOWN,NOHALT,NOREBOOT,NOETCLN,NOETCVI,NONETWORK,NOCONFIG

Our playbooks work just fine when trying to either be the ansible user account or using the become function to elevate to root. It appears, though, that when trying to use become to impersonate another user, I get the normal "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user" error.

Our playbook is a simple one:

# AIX Test


- hosts: aixTest


  remote_user: ansible
  serial: 99


  tasks:
  - name: Touch a file
    file:
      path: /tmp/ansible_touched_file
      state: touch


  - name: Ask whoami
    shell: whoami
    register: whoami


  - debug:
      msg: "{{whoami.stdout_lines}}"


  - name: Ask whoami (as root)
    shell: whoami
    register: whoami_root
    become: yes
    become_user: root


  - debug:
      msg: "{{whoami_root.stdout_lines}}"


  - name: Ask whoami (as service)
    shell: whoami
    register: whoami_service
    become: yes
    become_user: service


  - debug:
      msg: "{{whoami_service.stdout_lines}}"

I've since run the playbook with -vvvv flags, and have attempted to run the command that the AIX server chokes on. It gives me an error that I'm not sure how to work around, and I imagine Ansible doesn't either.

TASK [Ask whoami (as service)] *************************************************

task path: /ansible/aixTest/aixTest.yml:38

<aix0001a> ESTABLISH CONNECTION FOR USER: ansible on PORT 22 TO aix0001a

<aix0001a> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /tmp/ansible-tmp-1484233367.3-152056486857441 `" && echo ansible-tmp-1484233367.3-152056486857441="` echo /tmp/ansible-tmp-1484233367.3-152056486857441 `" ) && sleep 0'

<aix0001a> PUT /tmp/tmpFsvfK3 TO /tmp/ansible-tmp-1484233367.3-152056486857441/command

<aix0001a> EXEC /bin/sh -c 'chown -R service /tmp/ansible-tmp-1484233367.3-152056486857441/ && sleep 0'

<aix0001a> EXEC /bin/sh -c 'find /tmp/ansible-tmp-1484233367.3-152056486857441/ -exec setfacl -m u:service:rX '"'"'{}'"'"' '"'"'+'"'"' && sleep 0'

fatal: [aix0001a]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

When running the play manually, I run into this:

$ sudo chown -R service /tmp/ansible-tmp-1484233367.3-152056486857441/
$ sudo find /tmp/ansible-tmp-1484233367.3-152056486857441/ -exec setfacl -m u:service:rX '"'"'{}'"'"' '"'"'+'"'"'
find: 0652-018 An expression term lacks a required parameter.

Those of you that have worked with Ansible on AIX, have you had this problem? If so, what did you do to work around it? Open to any and all suggestions.

Thanks!

Nick

[Thorsten Scheurer]

Hello Nick,

we also run in the same problem with ansible 2.4.0 and AIX 7.1. Could you resolv the problem? When i do the same with remote_user root there is no error.

Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: /tmp/ansible-tmp-1506524547.07-44042807873875/: Operation not permitted.
chown: /tmp/ansible-tmp-1506524547.07-44042807873875/command.py: Operation not permitted.
}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user

Thanks
Thorsten

[cemoh...@gmail.com]

Did you find any solution for this, pleas let me know.

Thanks,

Mohan

[cemoh...@gmail.com]

Hi Thorsten,

Pls let me know.

On Wednesday, September 27, 2017 at 8:33:09 PM UTC+5:30, Thorsten Scheurer wrote: