DeamonMV DeamonMV - 3 months ago 223
Git Question

Ansible 2.1.0 using become/become_user fails to set permissions on temp file

I have an ansible 2.1.0 on my server, where I do deployment via vagrant and on PC too.
The role "deploy" have :

- name: upload code
become: true
become_user: www-data
git: repo=git@bitbucket.org:****.git
dest=/var/www/main
key_file=/var/www/.ssh/id_rsa
accept_hostkey=true
update=yes
force=yes
register: fresh_code
notify: restart php-fpm
tags: fresh_code


In this case with ansible 2.1.0 I get an error:

fatal: [default]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}


It it ansible 2.0.1.0 which I use on my PC, is all normally - folder /var/www/ have folder main with owner and group www-data

If I use only became_user: www-data and if I use become_method: sudo with became_user: www-data - i got same error

What need to do to resolve this?

Answer

The problem is that www-data cannot access the same files your default non-root ansible user created you use to connect to the machine. Also the error message clearly points to ansible's documentation which describes what options you have to fix this issue when upgrading from ansible 2.0 or below.

They suggest three ways to properly fix the issue:

  • Use pipelining. When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for non-python modules.
  • Install filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with filesystem acls enabled and the setfacl tool is in the remote PATH then Ansible will use filesystem acls to share the module file with the second unprivileged instead of having to make the file readable by everyone.
  • Don’t perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you become root or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.

Or if you cannot do any of these fixes, then you can force ansible to run in a bit more insecure way (which seemed to be the default in ansible 2 and below), which should also fix your problem, but would not fix the underlying security risk:

If you can’t make any of the changes above to resolve the problem and you decide that the machine you’re running on is secure enough for the modules you want to run there to be world readable you can turn on allow_world_readable_tmpfiles in the ansible.cfg file. Setting allow_world_readable_tmpfiles will change this from an error into a warning and allow the task to run as it did prior to 2.1.