New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In 2.5, the script module fails with privilege escalation, due to permission issues #36398
Labels
affects_2.5
This issue/PR affects Ansible v2.5
bug
This issue/PR relates to a bug.
module
This issue/PR relates to a module.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
Comments
Files identified in the description: If these files are inaccurate, please update the |
ansibot
added
affects_2.5
This issue/PR affects Ansible v2.5
bug_report
module
This issue/PR relates to a module.
needs_triage
Needs a first human triage before being processed.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
labels
Feb 19, 2018
bcoca
removed
the
needs_triage
Needs a first human triage before being processed.
label
Feb 19, 2018
abadger
added a commit
to abadger/ansible
that referenced
this issue
Feb 19, 2018
Unified tmp accidentally removed the containing tmpdir from the list of files to fix the permissions on when we're becoming a different unprivileged user. This resulted in a visible bug for script but not for patch. This is because patch also uploads the module to the same temporary directory and the uploaded module also ends up calling fixup_perms2() which includes the temporary directory. So by the time patch needs to access the temporary patch file, the directory is appropriately set. script's breakage was visible because script does not upload a module (it's akin to raw in this way). Therefore, we only call fixup_perms2() once in script and so leaving out the tmpdir in script means that the containing directory never has its permissions set appropriately. Fixing both because it does not cause an extra round trip for patch so any speedup would be minimal and it's better to fix the perms as close as possible to where we know we need it. Otherwise, changes to seemingly unrelated code later could end up breaking it. Fixes ansible#36398
abadger
added a commit
that referenced
this issue
Feb 19, 2018
Unified tmp accidentally removed the containing tmpdir from the list of files to fix the permissions on when we're becoming a different unprivileged user. This resulted in a visible bug for script but not for patch. This is because patch also uploads the module to the same temporary directory and the uploaded module also ends up calling fixup_perms2() which includes the temporary directory. So by the time patch needs to access the temporary patch file, the directory is appropriately set. script's breakage was visible because script does not upload a module (it's akin to raw in this way). Therefore, we only call fixup_perms2() once in script and so leaving out the tmpdir in script means that the containing directory never has its permissions set appropriately. Fixing both because it does not cause an extra round trip for patch so any speedup would be minimal and it's better to fix the perms as close as possible to where we know we need it. Otherwise, changes to seemingly unrelated code later could end up breaking it. Fixes #36398 (cherry picked from commit edaeb69)
abadger
added a commit
that referenced
this issue
Feb 19, 2018
Unified tmp accidentally removed the containing tmpdir from the list of files to fix the permissions on when we're becoming a different unprivileged user. This resulted in a visible bug for script but not for patch. This is because patch also uploads the module to the same temporary directory and the uploaded module also ends up calling fixup_perms2() which includes the temporary directory. So by the time patch needs to access the temporary patch file, the directory is appropriately set. script's breakage was visible because script does not upload a module (it's akin to raw in this way). Therefore, we only call fixup_perms2() once in script and so leaving out the tmpdir in script means that the containing directory never has its permissions set appropriately. Fixing both because it does not cause an extra round trip for patch so any speedup would be minimal and it's better to fix the perms as close as possible to where we know we need it. Otherwise, changes to seemingly unrelated code later could end up breaking it. Fixes #36398
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
affects_2.5
This issue/PR affects Ansible v2.5
bug
This issue/PR relates to a bug.
module
This issue/PR relates to a module.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
ISSUE TYPE
COMPONENT NAME
Privilege escalation and the script module
ANSIBLE VERSION
CONFIGURATION
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = [u'/etc/ansible/roles', u'/usr/share/ansible/roles']
OS / ENVIRONMENT
CentOS 7.4
SUMMARY
Prior to 2.5, script tasks run with privilege escalation applied setfacl to both the housing directory and the target host script. With 2.5, setfacl is applying solely to the target host script. The housing directory is not opened to the become_user, so the task fails with permissions issues.
#35666 is possibly related, where there were permission failures for tasks with privilege escalation and deep remote_tmp directories.
STEPS TO REPRODUCE
ansible-playbook -i inventory.ini playbook.yml -vvv
inventory.ini
playbook.yml
EXPECTED RESULTS
I expected the playbook to run to completion, as it does in 2.4.2. The setfacl call in the "By another user" task applies to both the housing directory and the script.
ACTUAL RESULTS
2.5.0b2 fails, complaining about permissions issues. The setfacl call in the "By another user" task targets only the script, leaving the housing directory unaltered.
The text was updated successfully, but these errors were encountered: