Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.5: Fix copy module to reset filesystem acls (#51868) #54796

Open
wants to merge 2 commits into
base: stable-2.5
from

Conversation

Projects
None yet
2 participants
@mkrizek
Copy link
Contributor

commented Apr 3, 2019

SUMMARY

Backport of #51868
(cherry picked from commit d15812f)

Alternative to #50419 and #51296

The controller's fixup_perms2 uses filesystem acls to make the temporary
file for copy readable by an unprivileged become user. On Python3, the
acls are then copied to the destination filename so we have to remove
them from there.

We can't remove them prior to the copy because we may not have
permission to read the file if the acls are not present. We can't
remove them in atomic_move() because the move function shouldn't know
anything about controller features. We may want to generalize this into
a helper function, though.

Fixes #44412

Co-authored-by: Toshio Kuratomi a.badger@gmail.com

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

copy
assemble
template

ADDITIONAL INFORMATION

The below action plugins use _transfer_file and fixup_perms2() too. However, the files that are transferred to the remote system are only kept in ansible temp dir and removed after they are used. Therefore it is not necessary to remove ACLs in those cases.

lib/ansible/plugins/action/patch.py
lib/ansible/plugins/action/script.py
lib/ansible/plugins/action/unarchive.py
lib/ansible/plugins/action/uri.py
Fix copy module to reset filesystem acls (#51868)
The controller's fixup_perms2 uses filesystem acls to make the temporary
file for copy readable by an unprivileged become user. On Python3, the
acls are then copied to the destination filename so we have to remove
them from there.

We can't remove them prior to the copy because we may not have
permission to read the file if the acls are not present. We can't
remove them in atomic_move() because the move function shouldn't know
anything about controller features. We may want to generalize this into
a helper function, though.

Fixes #44412

Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
(cherry picked from commit d15812f)
@ansibot

This comment has been minimized.

Copy link
Contributor

commented Apr 3, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Apr 3, 2019

The test ansible-test sanity --test import --python 2.6 [explain] failed with 1 error:

lib/ansible/modules/files/copy.py:228:0: ImportError: No module named process

The test ansible-test sanity --test import --python 2.7 [explain] failed with 1 error:

lib/ansible/modules/files/copy.py:228:0: ImportError: No module named process

The test ansible-test sanity --test import --python 3.5 [explain] failed with 1 error:

lib/ansible/modules/files/copy.py:228:0: ImportError: No module named 'ansible.module_utils.common.process'

The test ansible-test sanity --test import --python 3.6 [explain] failed with 1 error:

lib/ansible/modules/files/copy.py:228:0: ModuleNotFoundError: No module named 'ansible.module_utils.common.process'

The test ansible-test sanity --test import --python 3.7 [explain] failed with 1 error:

lib/ansible/modules/files/copy.py:228:0: ModuleNotFoundError: No module named 'ansible.module_utils.common.process'

The test ansible-test sanity --test validate-modules [explain] failed with 4 errors:

lib/ansible/modules/files/copy.py:0:0: E321 Exception attempting to import module for argument_spec introspection, 'No module named 'ansible.module_utils.common.process''
test/sanity/validate-modules/ignore.txt:1024:1: A102 Remove since "lib/ansible/modules/files/copy.py" passes "E322" test
test/sanity/validate-modules/ignore.txt:1025:1: A102 Remove since "lib/ansible/modules/files/copy.py" passes "E323" test
test/sanity/validate-modules/ignore.txt:1026:1: A102 Remove since "lib/ansible/modules/files/copy.py" passes "E324" test

click here for bot help

@ansibot ansibot added needs_revision and removed core_review labels Apr 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.