New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User module creates home directory for existing user with incorrect SELinux types and permissions. #24862
Comments
From @ansibot on November 3, 2016 19:59 @ansible ping, this issue is waiting for your response. |
From @ansibot on November 19, 2016 10:1 @ansible, ping. This issue is still waiting on your response. |
From @ansibot on December 7, 2016 19:58 This repository has been locked. All new issues and pull requests should be filed in https://github.com/ansible/ansible Please read through the repomerge page in the dev guide. The guide contains links to tools which automatically move your issue or pull request to the ansible/ansible repo. |
From @andrewrothstein on January 3, 2017 17:9 Bueller? |
From @fzdarsky on February 7, 2017 10:12 Confirming issue exists also in Ansible 2.2.1.0 on Fedora 25. |
under Debian + ansible 2.3.0 I am having the issue that system users are created with root:root homedir ? Maybe related to: 507b96f#diff-8f60df5685f83b8659a1106d36591e93 ? It seems to be a regression, as with earlier version I did not have issues. |
ping @bcoca (merged #19464) |
Same issue with ansible 2.3.0.0 on macOS Sierra 10.12.4, when deploying to Ubuntu 16.04.2 LTS. |
@alikins Thank you for the notification! About the problem: Solutions: If the latter is not the case, I intend to extend the user module such that it fixes the permissions and SELinux types itself. As I don't have access to an
Quickfixes: |
@rqelibari I'll see if I can get a RHEL7 test, but for references, the results on fedora 25:
To get the usermod to create the new dir, had to add the -m to the second usermod invocation:
|
@rqelibari You can check out my fix for this, PR #24868, which properly solves the creation of new directories for RHEL/Fedora. (I'll have to dig into why it doesn't work for Ubuntu) But that PR is blowing up on MacOSX, which I don't have access to. That being said, it sounds like we have two bugs being discussed here. One that affects creating a home directory for an existing user, and another Ubuntu issue that has problems creating home directories, period. RHEL output:
|
Debian 8:
Yup. |
Thank you for your posts! Comment on #24868 In accordance to @chriskarel s PR I propose to extend the user module with the following two options such that it acts more like the
|
thanks @rqelibari for the investigation, however, my issue is not the permissions of the home-dir ( I believe this is a regression as it worked in previous versions (<2.3)? |
@lifeofguenter Yes indeed, your problem seems very odd...I cannot find a clue in the code of the user module why this could possibly happen. Especially as I will setup an Ubuntu VM later/tonight and will take a look myself on that. |
Any progress on this? I've just hit it with my Ubuntu 16.04 VMs |
facing this on ubuntu 16.04 VM any way to fix this ?? |
Facing it too. |
ping @rqelibari @alikins - any update on this? |
@gentili @murarisumit @ArseniiPetrovich There are two issues being discussed in this issue:
I'm able to duplicate 1 on CentOS 7. I am not able to duplicate 2 on Ubuntu 1604. If someone has a simple reproducer for 2 that is different than the original, please share so I can further troubleshoot this. |
For the native installation types (apt, yum), JENKINS_HOME is created with the Jenkins user on when the package is installed. In either case, it is quite likely that root will own this directory. Therefore, we should ensure that the correct Jenkins user owns this directory. In the case of the user module, the home directory created by Ansible is always owned by root:root, which is a known bug in Ansible: ansible/ansible#24862 As luck would have it, the "Create intermediate dirs for custom files" task was accidentally doing this work for us. However, if the user did not set any items for the jenkins_custom_files var, then this would cause Jenkins to fail at startup.
Any idea when this is getting fixed? |
Using ansible 2.8.4 and targeting CentOS 7 or Ubuntu 16.04, I cannot reproduce following issues:
Issue with SELinux context remains on CentOS. Tested all of this using a rather simple playbook.
Result is
When a user is created with |
Version: I get this bug when I run ansible module |
Experienced that problem today too. Is there any workaround? |
Okay i actually found the issue in my script, I used the lineinfile module for a file inside the home directory which was not yet created... afterwards I created the home directory resulting in that error. |
Any movement on this issue? Ran into this issue on Centos7, when creating new users OR creating a new home dir for existing users, the selinux contexts aren't set correctly:
When I try "useradd" manually, it actually throws an error when trying to create the home dir in some location which is not /home:
Looks related to: https://bugzilla.redhat.com/show_bug.cgi?id=1013968 So I assume ansible should handle this scenario, potentially by automatically applying the correct selinux perms? |
Can this specific issue still be replicated on the latest Ansible versions and if so can someone share the reproducer for this problem. |
FWIW, using Ansible 2.16.2 from Fedora 39 (host+target), the situation improved, but I can still reproduce some of the described SELinux issues. What previously didn't work but now works: Home directory of a new user has the correct SELinux label when it's created like this:
Previously, I had to work around incorrect labeling via a follow-up task like this:
What still doesn't work properly is the labeling when the home is created of an already existing user. Reproducer:
Result on the target:
Expected result: The home directory is labeled like this: IOW, a follow-up Instead, in my environment, it prints:
|
From @chriskarel on November 3, 2016 19:21
ISSUE TYPE
COMPONENT NAME
User module
ANSIBLE VERSION
CONFIGURATION
Nothing unusual
OS / ENVIRONMENT
OEL/RHEL 7
SUMMARY
Using the user module on an existing user, but changing their home directory, results in the new home directory created with improper filesystem permissions and SELinux types.
STEPS TO REPRODUCE
Have an existing user, with an existing home directory setting. Then use the Ansible user module to change that home directory. The new directory will be created, but with the same permissions and SELinux values as the parent directory, rather than the usual home settings.
EXPECTED RESULTS
I would expect the new home directory that is created for an existing user would have similar permissions and SELinux values as a new home directory created for a brand new user. (eg: permissions of 0700, type of user_home_dir_t)
This also impacts the .ssh directory, if generate_ssh_key is true. I would expect the .ssh directory to have ssh_home_t type, but it does not.
ACTUAL RESULTS
The new home directory inherits the parent's permissions and SELinux context. In this case, that's mode 0755 and home_root_t, the same as /home/. /home/user_existing/ should look more like /home/userold/.
Copied from original issue: ansible/ansible-modules-core#5481
The text was updated successfully, but these errors were encountered: