Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os.chdir fails if the sudo/become user lacks adequate permissions to chdir prior to task #636

Open
msaladna opened this issue Aug 19, 2019 · 1 comment

Comments

@msaladna
Copy link

@msaladna msaladna commented Aug 19, 2019

  • Which version of Ansible are you running?
    2.8.2
  • Is your version of Ansible patched in any way?
    No
  • Are you running with any custom modules, or module_utils loaded?
    No
  • Have you tried the latest master version from Git?
    Yes
  • Do you have some idea of what the underlying problem may be?
    os.chdir in runner.py does not check for permissions before attempting chdir. If permissions for the sudo user prohibit access to the cwd, then the task fails.
  • Mention your host and target OS and versions
    CentOS 7.6.1810
  • Mention your host and target Python versions
    CentOS stock, 2.7.5
  • If reporting a crash or hang in Ansible...
[task 12337] 13:59:35.925665 D mitogen.parent: starting no-reply function call to u'local.12340.sudo.postgres': mitogen.core.Dispatcher.forget_chain('testing.apisnetworks.com-12337-7f773bdb9740-5907c1a563401')
[mux  12303] 13:59:35.926584 D ansible_mitogen.services: decrementing reference count for Context(4, u'local.12340.sudo.postgres')
[task 12337] 13:59:35.926955 D mitogen: MitogenProtocol(unix_listener.12303): disconnecting
[task 12337] 13:59:35.927252 D mitogen: Waker(fd=11/12): disconnecting
[task 12337] 13:59:35.927629 D mitogen: Router(Broker(7e50)): stats: 0 module requests in 0 ms, 0 sent (0 ms minify time), 0 negative responses. Sent 0.0 kb total, 0.0 kb avg.
[mux  12303] 13:59:35.929497 D mitogen: <Side of unix_client.12337 fd 76>: empty read, disconnecting
[mux  12303] 13:59:35.929760 D mitogen: MitogenProtocol(unix_client.12337): disconnecting
[mux  12303] 13:59:35.930372 D mitogen.[local.12340.sudo.postgres]: Dispatcher: dispatching (None, u'mitogen.core', u'Dispatcher', u'forget_chain', ('testing.apisnetworks.com-12337-7f773bdb9740-5907c1a563401',), Kwargs({}))
[mux  12303] 13:59:35.930643 D mitogen.[local.12340.sudo.postgres]: Dispatcher: Message(4, 1, 0, 101, 0, '\x80\x02(NX\x0c\x00\x00\x00mitogen.coreX\n\x00\x00\x00Dispatcherq\x01X\x0c\x00\x00\x00forget_'..151) -> None
[mux  12303] 13:59:35.933657 D mitogen.service.[local.12340]: Pool(6a10, size=2, th='MainThread'): initialized
The full traceback is:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 144, in run
    res = self._execute()
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 648, in _execute
    result = self._handler.run(task_vars=variables)
  File "/usr/lib/python2.7/site-packages/ansible_mitogen/mixins.py", line 116, in run
    return super(ActionModuleMixin, self).run(tmp, task_vars)
  File "/usr/lib/python2.7/site-packages/ansible/plugins/action/normal.py", line 46, in run
    result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
  File "/usr/lib/python2.7/site-packages/ansible_mitogen/mixins.py", line 359, in _execute_module
    timeout_secs=self.get_task_timeout_secs(),
  File "/usr/lib/python2.7/site-packages/ansible_mitogen/planner.py", line 503, in invoke
    kwargs=planner.get_kwargs(),
  File "/usr/lib/python2.7/site-packages/ansible_mitogen/connection.py", line 445, in call
    return self._rethrow(recv)
  File "/usr/lib/python2.7/site-packages/ansible_mitogen/connection.py", line 431, in _rethrow
    return recv.get().unpickle()
  File "/usr/lib/python2.7/site-packages/mitogen/core.py", line 963, in unpickle
    raise obj
CallError: exceptions.OSError: [Errno 13] Permission denied: '/usr/local/apnscp/resources/playbooks'
  File "<stdin>", line 3661, in _dispatch_one
  File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/target.py", line 422, in run_module
    return impl.run()
  File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 440, in run
    self.setup()
  File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 850, in setup
    super(NewStyleRunner, self).setup()
  File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 623, in setup
    super(ProgramRunner, self).setup()
  File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 374, in setup
    self._setup_cwd()
  File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 384, in _setup_cwd
    os.chdir(self.cwd)


fatal: [localhost]: FAILED! => {
    "msg": "Unexpected failure during module execution.", 
    "stdout": ""
}
  • If reporting any kind of problem with Ansible, please include the Ansible
    version along with output of "ansible-config dump --only-changed".
    # ansible-config dump --only-changed
    DEFAULT_STRATEGY(/usr/local/apnscp/resources/playbooks/ansible.cfg) = mitogen_linear
    DEFAULT_STRATEGY_PLUGIN_PATH(/usr/local/apnscp/resources/playbooks/ansible.cfg) = 
    [u'/usr/lib/python2.7/site-packages/ansible_mitogen/plugins/strategy']
    

Sample play to reproduce the behavior:

---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: Become bug
      become_user: postgres
      become: True
      postgresql_user: name=testuser password=abc db=template1 encrypted=yes
      register: user_changed

Verification of the permissions:

sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
ls: cannot access /usr/local/apnscp/resources/playbooks/: Permission denied

Then if we change permissions to allow access by user "postgres":

chmod 711 /usr/local/apnscp/
sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
# ls succeeds

Likewise the play completes as expected:

changed: [localhost] => {
    "changed": true, 
    "invocation": {
        "module_args": {
            "ca_cert": null, 
            "conn_limit": null, 
            "db": "template1", 
            "encrypted": true, 
            "expires": null, 
            "fail_on_user": true, 
            "login_host": "", 
            "login_password": "", 
            "login_unix_socket": "", 
            "login_user": "postgres", 
            "name": "testuser", 
            "no_password_changes": false, 
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
            "port": 5432, 
            "priv": null, 
            "role_attr_flags": "", 
            "session_role": null, 
            "ssl_mode": "prefer", 
            "state": "present", 
            "user": "testuser"
        }
    }, 
    "queries": [
        "CREATE USER \"testuser\" WITH ENCRYPTED PASSWORD %(password)s "
    ], 
    "user": "testuser"
}
@zswanson

This comment has been minimized.

Copy link

@zswanson zswanson commented Sep 13, 2019

Seeing this same issue using ansible 2.8 and mitogen 0.2.8; in our case though we're running ansible/mitogen during an AWS user-data script, so it runs as root. The file task fails when we used become_user to switch to a local service account. In our case we can work around it since the become_user wasn't a necessary step for the execution, so we just removed it.

@dw this is actually becoming a pretty major error, it impacts multiple tasks in our playbooks, and we cannot roll back to 0.2.7 because it isn't compatible with ansible 2.8

Looks to be related to the fix from #591

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.