Note that ZFS's acls won't work with Ansible's secure temp file code.

This commit is contained in:
Toshio Kuratomi 2016-06-17 10:01:11 -07:00
parent 2b0d0d0323
commit 73fcf9ba6e

View file

@ -138,12 +138,11 @@ Ways to resolve this include:
the remote python interpreter's stdin. Pipelining does not work for
non-python modules.
* (Available in Ansible 2.1) Install filesystem acl support on the managed
host. If the temporary directory on the remote host is mounted with
filesystem acls enabled and the :command:`setfacl` tool is in the remote
``PATH`` then Ansible will use filesystem acls to share the module file with
the second unprivileged instead of having to make the file readable by
everyone.
* (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the
managed host. If the temporary directory on the remote host is mounted with
POSIX acls enabled and the :command:`setfacl` tool is in the remote ``PATH``
then Ansible will use POSIX acls to share the module file with the second
unprivileged user instead of having to make the file readable by everyone.
* Don't perform an action on the remote machine by becoming an unprivileged
user. Temporary files are protected by UNIX file permissions when you
@ -151,6 +150,11 @@ Ways to resolve this include:
file permissions are also secure if you make the connection to the managed
machine as root and then use ``become`` to an unprivileged account.
.. warn:: Although the Solaris ZFS filesystem has filesystem ACLs, the ACLs
are not POSIX.1e filesystem acls (they are NFSv4 ACLs instead). Ansible
cannot use these ACLs to manage its temp file permissions so you may have
to resort to ``allow_world_readable_tmpfiles`` if the remote machines use ZFS.
.. versionchanged:: 2.1
In addition to the additional means of doing this securely, Ansible 2.1 also