Move setting for world-readable-tempfiles back to global config.

The code that depends on this is all in the action plugins so we should leave it there until we either move that action plugin code over (fixup_perms2) or we give action plugins the ability to register new config.
2018-01-22 15:35:33 -08:00 · 2018-01-22 15:35:33 -08:00 · 62bc714dae
commit 62bc714dae
parent 5c2f3e3b8c
3 changed files with 14 additions and 13 deletions
--- a/lib/ansible/config/base.yml
+++ b/lib/ansible/config/base.yml
@ -1,6 +1,18 @@
 # Copyright (c) 2017 Ansible Project
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 ---
+ALLOW_WORLD_READABLE_TMPFILES:
+  name: Allow world readable temporary files
+  default: False
+  description:
+    - This makes the temporary files created on the machine to be world readable and will issue a warning instead of failing the task.
+    - It is useful when becoming an unprivileged user.
+  env: []
+  ini:
+  - {key: allow_world_readable_tmpfiles, section: defaults}
+  type: boolean
+  yaml: {key: defaults.allow_world_readable_tmpfiles}
+  version_added: "2.1"
 ANSIBLE_COW_SELECTION:
  name: Cowsay filter selection
  default: default
--- a/lib/ansible/plugins/action/init.py
+++ b/lib/ansible/plugins/action/init.py
@ -383,7 +383,7 @@ class ActionBase(with_metaclass(ABCMeta, object)):
        * If the chown fails we can set the file to be world readable so that
          the second unprivileged user can read the file.
          Since this could allow other users to get access to private
-          information we only do this ansible is configured with
+          information we only do this if ansible is configured with
          "allow_world_readable_tmpfiles" in the ansible.cfg
        """
        if remote_user is None:
@ -431,7 +431,7 @@ class ActionBase(with_metaclass(ABCMeta, object)):
                    raise AnsibleError('Failed to change ownership of the temporary files Ansible needs to create despite connecting as a privileged user. '
                                       'Unprivileged become user would be unable to read the file.')
                elif res['rc'] != 0:
-                    if self._connection._shell('allow_world_readable_temp'):
+                    if C.ALLOW_WORLD_READABLE_TMPFILES:
                        # chown and fs acls failed -- do things this insecure
                        # way only if the user opted in in the config file
                        display.warning('Using world-readable permissions for temporary files Ansible needs to create when becoming an unprivileged user. '
--- a/lib/ansible/utils/module_docs_fragments/shell_common.py
+++ b/lib/ansible/utils/module_docs_fragments/shell_common.py
@ -78,15 +78,4 @@ options:
        key: admin_users
    vars:
      - name: ansible_admin_users
-  allow_world_readable_temp:
-    type: boolean
-    description:
-        - This makes the temporary files created on the machine to be world readable and will issue a warning instead of failing the task.
-        - It is useful when becoming an unprivileged user.
-    ini:
-      - section: defaults
-        key: allow_world_readable_tmpfiles
-    vars:
-      - name: ansible_world_readable_tmpfiles
-    version_added: "2.1"
 """