exec from /tmp permission denied

Julian Brown

unread,

Oct 19, 2017, 10:30:52 AM10/19/17

to Ansible Project

In our environment we do not allow execution from /tmp.

So:

Julians-Macbook-Pro:deploy_with_ansible julianbrown$ cat ansible.cfg

[defaults]

inventory = myhosts.ini

remote_tmp = ~/.ansible/tmp

local_tmp = ~/.ansible/tmp

[ssh_connection]

ssh_args=-o ForwardAgent=yes

I tell it to use ~/.ansible/tmp

Playbook:

Julians-Macbook-Pro:deploy_with_ansible julianbrown$ cat deploy_julian_bin.yml

---

- hosts: all

remote_user: root

tasks:

- name: deploy bin git repo

git:

repo: XXXXXX for privacy

dest: /root/bin

version: master

But it is being ignored:

508 fatal: [testing.tld]: FAILED! => {

509 "changed": false,

510 "cmd": "/usr/local/cpanel/3rdparty/lib/path-bin/git clone --origin origin 'ssh:********@enterprise.cpanel.net:7999/~julian.brown/ansible-julian-mybin.

511 "failed": true,

512 "invocation": {

513 "module_args": {

514 "accept_hostkey": false,

515 "archive": null,

516 "bare": false,

517 "clone": true,

518 "depth": null,

519 "dest": "/root/bin",

520 "executable": null,

521 "force": false,

522 "key_file": null,

523 "recursive": true,

524 "reference": null,

525 "refspec": null,

526 "remote": "origin",

527 "repo": "ssh://g...@enterprise.cpanel.net:7999/~julian.brown/ansible-julian-mybin.git",

528 "ssh_opts": null,

529 "track_submodules": false,

530 "umask": null,

531 "update": true,

532 "verify_commit": false,

533 "version": "master"

534 }

535 },

536 "msg": "Cloning into '/root/bin'...\nfatal: cannot exec '/tmp/tmpupKV8D': Permission denied\nfatal: unable to fork",

537 "rc": 128,

538 "stderr": "Cloning into '/root/bin'...\nfatal: cannot exec '/tmp/tmpupKV8D': Permission denied\nfatal: unable to fork\n",

539 "stderr_lines": [

540 "Cloning into '/root/bin'...",

541 "fatal: cannot exec '/tmp/tmpupKV8D': Permission denied",

542 "fatal: unable to fork"

543 ],

544 "stdout": "",

545 "stdout_lines": []

It is still trying to execute a script in /tmp, how do I tell it to NOT put it's scripts in /tmp?

None of the parameters listed in the configuration page seem to do that, of course I could be reading it wrong.

Thanx

Julian

Brian Coca

unread,

Oct 19, 2017, 10:43:40 AM10/19/17

to Ansible Project

Try setting remote_tmp to /var/tmp. There is an issue with remote_tmp
and permission downscaling, Ansible currently defaults to /tmp to
compensate for this. This setting is global but I'm working on making
it host specific and allow to specify the fallback/system temp dirs
when needed.

https://github.com/ansible/ansible/pull/31677
--
----------
Brian Coca

Julian Brown

unread,

Oct 19, 2017, 11:00:52 AM10/19/17

to Ansible Project

OK I tried that, but it insists on using /tmp for that git execution. Ansible may not be usable by me, dang this is a show stopper.

510 "cmd": "/usr/local/cpanel/3rdparty/lib/path-bin/git clone --origin origin 'xxxxxxx.

511 "failed": true,
512 "invocation": {
513 "module_args": {
514 "accept_hostkey": false,
515 "archive": null,
516 "bare": false,
517 "clone": true,
518 "depth": null,
519 "dest": "/root/bin",
520 "executable": null,
521 "force": false,
522 "key_file": null,
523 "recursive": true,
524 "reference": null,
525 "refspec": null,
526 "remote": "origin",

527 "repo": "xxxxxx",

528 "ssh_opts": null,
529 "track_submodules": false,
530 "umask": null,
531 "update": true,
532 "verify_commit": false,
533 "version": "master"
534 }
535 },
536 "msg": "Cloning into '/root/bin'...\nfatal: cannot exec '/tmp/tmpupKV8D': Permission denied\nfatal: unable to fork",
537 "rc": 128,
538 "stderr": "Cloning into '/root/bin'...\nfatal: cannot exec '/tmp/tmpupKV8D': Permission denied\nfatal: unable to fork\n",
539 "stderr_lines": [
540 "Cloning into '/root/bin'...",
541 "fatal: cannot exec '/tmp/tmpupKV8D': Permission denied",
542 "fatal: unable to fork"
543 ],
544 "stdout": "",
545 "stdout_lines": []

Julian Brown

unread,

Oct 19, 2017, 11:22:02 AM10/19/17

to Ansible Project

I worked around it by using "command:" and putting a git command in there.

If I were more confident in what I am doing, I would file a bug report. It looks like the "git:" command does not look at remote_tmp.

Thanx

Julian

On Thursday, October 19, 2017 at 9:30:52 AM UTC-5, Julian Brown wrote:

511 "failed": true,
512 "invocation": {
513 "module_args": {
514 "accept_hostkey": false,
515 "archive": null,
516 "bare": false,
517 "clone": true,
518 "depth": null,
519 "dest": "/root/bin",
520 "executable": null,
521 "force": false,
522 "key_file": null,
523 "recursive": true,
524 "reference": null,
525 "refspec": null,
526 "remote": "origin",

527 "repo": "",

528 "ssh_opts": null,
529 "track_submodules": false,
530 "umask": null,
531 "update": true,
532 "verify_commit": false,
533 "version": "master"
534 }
535 },
536 "msg": "Cloning into '/root/bin'...\nfatal: cannot exec '/tmp/tmpupKV8D': Permission denied\nfatal: unable to fork",
537 "rc": 128,
538 "stderr": "Cloning into '/root/bin'...\nfatal: cannot exec '/tmp/tmpupKV8D': Permission denied\nfatal: unable to fork\n",
539 "stderr_lines": [
540 "Cloning into '/root/bin'...",
541 "fatal: cannot exec '/tmp/tmpupKV8D': Permission denied",
542 "fatal: unable to fork"
543 ],
544 "stdout": "",
545 "stdout_lines": []

Brian Coca

unread,

Oct 19, 2017, 12:03:27 PM10/19/17

to Ansible Project

Ah, nvmd, git module has it's own wrapper, try setting environemnt:
TEMP or TMP=/var/tmp, git module uses mktemp function to create it's
own temporary wrapper file. (also planning on fixing this)

--
----------
Brian Coca

Reply all

Reply to author

Forward