diff --git a/CHANGELOG.md b/CHANGELOG.md index 013ea7b4e62..4e82167d73f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,19 @@ Ansible Changes By Release * Fix a bug with async's poll keyword not making use of ansible_python_interpreter to run (and thus breaking when /usr/bin/python is not present on the remote machine.) * Fix a bug where hosts that started with a range in inventory were being treated as an invalid section header. * Fix a bug where the fetch module was not idempotent when retrieving the target of a symlink. + +###Deprecations: + +* Deprecated the use of `_fixup_perms`. Use `_fixup_perms2` instead. + This change only impacts custom action plugins using `_fixup_perms`. + +###Incompatible Changes: + +* Use of `_fixup_perms` with `recursive=True` (the default) is no longer supported. + Custom action plugins using `_fixup_perms` will require changes unless they already use `recursive=False`. + Use `_fixup_perms2` if support for previous releases is not required. + Otherwise use `_fixup_perms` with `recursive=False`. + ## 2.1.1 "The Song Remains the Same" - 07-28-2016 ###Minor Changes: diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index 5231ac62cc2..92da3d848c1 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -293,7 +293,29 @@ class ActionBase(with_metaclass(ABCMeta, object)): return remote_path - def _fixup_perms(self, remote_paths, remote_user, execute=True): + def _fixup_perms(self, remote_path, remote_user, execute=True, recursive=True): + """ + We need the files we upload to be readable (and sometimes executable) + by the user being sudo'd to but we want to limit other people's access + (because the files could contain passwords or other private + information. + + Deprecated in favor of _fixup_perms2. Ansible code has been updated to + use _fixup_perms2. This code is maintained to provide partial support + for custom actions (non-recursive mode only). + + """ + + display.deprecated('_fixup_perms is deprecated. Use _fixup_perms2 instead.', version='2.4', removed=False) + + if recursive: + raise AnsibleError('_fixup_perms with recursive=True (the default) is no longer supported. ' + + 'Use _fixup_perms2 if support for previous releases is not required. ' + 'Otherwise use fixup_perms with recursive=False.') + + return self._fixup_perms2([remote_path], remote_user, execute) + + def _fixup_perms2(self, remote_paths, remote_user, execute=True): """ We need the files we upload to be readable (and sometimes executable) by the user being sudo'd to but we want to limit other people's access @@ -611,7 +633,7 @@ class ActionBase(with_metaclass(ABCMeta, object)): # Fix permissions of the tmp path and tmp files. This should be # called after all files have been transferred. if remote_files: - self._fixup_perms(remote_files, remote_user) + self._fixup_perms2(remote_files, remote_user) cmd = "" in_data = None diff --git a/lib/ansible/plugins/action/assemble.py b/lib/ansible/plugins/action/assemble.py index 359bc137083..60d4c965926 100644 --- a/lib/ansible/plugins/action/assemble.py +++ b/lib/ansible/plugins/action/assemble.py @@ -153,7 +153,7 @@ class ActionModule(ActionBase): xfered = self._transfer_file(path, remote_path) # fix file permissions when the copy is done as a different user - self._fixup_perms((tmp, remote_path), remote_user) + self._fixup_perms2((tmp, remote_path), remote_user) new_module_args.update( dict( src=xfered,)) diff --git a/lib/ansible/plugins/action/async.py b/lib/ansible/plugins/action/async.py index 9287afb08d0..6a098323d13 100644 --- a/lib/ansible/plugins/action/async.py +++ b/lib/ansible/plugins/action/async.py @@ -76,7 +76,7 @@ class ActionModule(ActionBase): if argsfile: remote_paths += argsfile, - self._fixup_perms(remote_paths, remote_user, execute=True) + self._fixup_perms2(remote_paths, remote_user, execute=True) async_limit = self._task.async async_jid = str(random.randint(0, 999999999999)) diff --git a/lib/ansible/plugins/action/copy.py b/lib/ansible/plugins/action/copy.py index 362c22e7d81..324ebb6aab9 100644 --- a/lib/ansible/plugins/action/copy.py +++ b/lib/ansible/plugins/action/copy.py @@ -230,7 +230,7 @@ class ActionModule(ActionBase): # fix file permissions when the copy is done as a different user if remote_path: - self._fixup_perms((tmp, remote_path), remote_user) + self._fixup_perms2((tmp, remote_path), remote_user) if raw: # Continue to next iteration if raw is defined. diff --git a/lib/ansible/plugins/action/patch.py b/lib/ansible/plugins/action/patch.py index 77bf87bd86b..abd31d74543 100644 --- a/lib/ansible/plugins/action/patch.py +++ b/lib/ansible/plugins/action/patch.py @@ -59,7 +59,7 @@ class ActionModule(ActionBase): tmp_src = self._connection._shell.join_path(tmp, os.path.basename(src)) self._transfer_file(src, tmp_src) - self._fixup_perms((tmp, tmp_src), remote_user) + self._fixup_perms2((tmp, tmp_src), remote_user) new_module_args = self._task.args.copy() new_module_args.update( diff --git a/lib/ansible/plugins/action/script.py b/lib/ansible/plugins/action/script.py index 0ee716dcdb3..52f611d42f3 100644 --- a/lib/ansible/plugins/action/script.py +++ b/lib/ansible/plugins/action/script.py @@ -79,7 +79,7 @@ class ActionModule(ActionBase): self._transfer_file(source, tmp_src) # set file permissions, more permissive when the copy is done as a different user - self._fixup_perms((tmp, tmp_src), remote_user, execute=True) + self._fixup_perms2((tmp, tmp_src), remote_user, execute=True) # add preparation steps to one ssh roundtrip executing the script env_string = self._compute_environment_string() diff --git a/lib/ansible/plugins/action/template.py b/lib/ansible/plugins/action/template.py index 824d1d39e3d..3ac53b443a6 100644 --- a/lib/ansible/plugins/action/template.py +++ b/lib/ansible/plugins/action/template.py @@ -164,7 +164,7 @@ class ActionModule(ActionBase): xfered = self._transfer_data(self._connection._shell.join_path(tmp, 'source'), resultant) # fix file permissions when the copy is done as a different user - self._fixup_perms((tmp, xfered), remote_user) + self._fixup_perms2((tmp, xfered), remote_user) # run the copy module new_module_args.update( diff --git a/lib/ansible/plugins/action/unarchive.py b/lib/ansible/plugins/action/unarchive.py index 5aa61fc5b81..6b4764033ca 100644 --- a/lib/ansible/plugins/action/unarchive.py +++ b/lib/ansible/plugins/action/unarchive.py @@ -93,7 +93,7 @@ class ActionModule(ActionBase): if copy: # fix file permissions when the copy is done as a different user - self._fixup_perms((tmp, tmp_src), remote_user) + self._fixup_perms2((tmp, tmp_src), remote_user) # Build temporary module_args. new_module_args = self._task.args.copy() new_module_args.update( diff --git a/test/units/plugins/action/test_action.py b/test/units/plugins/action/test_action.py index 537aa78cad6..72329bbeb67 100644 --- a/test/units/plugins/action/test_action.py +++ b/test/units/plugins/action/test_action.py @@ -570,7 +570,7 @@ class TestActionBase(unittest.TestCase): action_base._transfer_data = MagicMock() action_base._compute_environment_string = MagicMock() action_base._low_level_execute_command = MagicMock() - action_base._fixup_perms = MagicMock() + action_base._fixup_perms2 = MagicMock() action_base._configure_module.return_value = ('new', '#!/usr/bin/python', 'this is the module data') action_base._late_needs_tmp_path.return_value = False