Note that ZFS's acls won't work with Ansible's secure temp file code.
This commit is contained in:
parent
2b0d0d0323
commit
73fcf9ba6e
1 changed files with 10 additions and 6 deletions
|
@ -138,12 +138,11 @@ Ways to resolve this include:
|
|||
the remote python interpreter's stdin. Pipelining does not work for
|
||||
non-python modules.
|
||||
|
||||
* (Available in Ansible 2.1) Install filesystem acl support on the managed
|
||||
host. If the temporary directory on the remote host is mounted with
|
||||
filesystem acls enabled and the :command:`setfacl` tool is in the remote
|
||||
``PATH`` then Ansible will use filesystem acls to share the module file with
|
||||
the second unprivileged instead of having to make the file readable by
|
||||
everyone.
|
||||
* (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the
|
||||
managed host. If the temporary directory on the remote host is mounted with
|
||||
POSIX acls enabled and the :command:`setfacl` tool is in the remote ``PATH``
|
||||
then Ansible will use POSIX acls to share the module file with the second
|
||||
unprivileged user instead of having to make the file readable by everyone.
|
||||
|
||||
* Don't perform an action on the remote machine by becoming an unprivileged
|
||||
user. Temporary files are protected by UNIX file permissions when you
|
||||
|
@ -151,6 +150,11 @@ Ways to resolve this include:
|
|||
file permissions are also secure if you make the connection to the managed
|
||||
machine as root and then use ``become`` to an unprivileged account.
|
||||
|
||||
.. warn:: Although the Solaris ZFS filesystem has filesystem ACLs, the ACLs
|
||||
are not POSIX.1e filesystem acls (they are NFSv4 ACLs instead). Ansible
|
||||
cannot use these ACLs to manage its temp file permissions so you may have
|
||||
to resort to ``allow_world_readable_tmpfiles`` if the remote machines use ZFS.
|
||||
|
||||
.. versionchanged:: 2.1
|
||||
|
||||
In addition to the additional means of doing this securely, Ansible 2.1 also
|
||||
|
|
Loading…
Reference in a new issue