[become] Add Solaris chmod ACL fallback

Change:
- Newer Solaris drops setfacl. Add a fallback for its chmod ACL syntax.

Test Plan:
- New units

Tickets:
- Fixes #74282

Signed-off-by: Rick Elrod <rick@elrod.me>
This commit is contained in:
Rick Elrod 2021-04-16 13:00:12 -05:00
parent 7d64aebdd3
commit 9f1513d4c0
3 changed files with 27 additions and 2 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- become - work around setfacl not existing on modern Solaris (and possibly failing on some filesystems even when it does exist)

View file

@ -576,6 +576,9 @@ class ActionBase(with_metaclass(ABCMeta, object)):
setfacl_mode = 'r-x' setfacl_mode = 'r-x'
# Apple patches their "file_cmds" chmod with ACL support # Apple patches their "file_cmds" chmod with ACL support
chmod_acl_mode = '{0} allow read,execute'.format(become_user) chmod_acl_mode = '{0} allow read,execute'.format(become_user)
# POSIX-draft ACL specification. Solaris, maybe others.
# See chmod(1) on something Solaris-based for syntax details.
posix_acl_mode = 'A+user:{0}:rx:allow'.format(become_user)
else: else:
chmod_mode = 'rX' chmod_mode = 'rX'
# TODO: this form fails silently on freebsd. We currently # TODO: this form fails silently on freebsd. We currently
@ -584,6 +587,8 @@ class ActionBase(with_metaclass(ABCMeta, object)):
setfacl_mode = 'r-X' setfacl_mode = 'r-X'
# Apple # Apple
chmod_acl_mode = '{0} allow read'.format(become_user) chmod_acl_mode = '{0} allow read'.format(become_user)
# POSIX-draft
posix_acl_mode = 'A+user:{0}:r:allow'.format(become_user)
# Step 3a: Are we able to use setfacl to add user ACLs to the file? # Step 3a: Are we able to use setfacl to add user ACLs to the file?
res = self._remote_set_user_facl( res = self._remote_set_user_facl(
@ -639,7 +644,17 @@ class ActionBase(with_metaclass(ABCMeta, object)):
if res['rc'] == 0: if res['rc'] == 0:
return remote_paths return remote_paths
# Step 3e: Common group # Step 3e: Try Solaris/OpenSolaris/OpenIndiana-sans-setfacl chmod
# Similar to macOS above, Solaris 11.4 drops setfacl and takes file ACLs
# via chmod instead. OpenSolaris and illumos-based distros allow for
# using either setfacl or chmod, and compatibility depends on filesystem.
# It should be possible to debug this branch by installing OpenIndiana
# (use ZFS) and going unpriv -> unpriv.
res = self._remote_chmod(remote_paths, posix_acl_mode)
if res['rc'] == 0:
return remote_paths
# Step 3f: Common group
# Otherwise, we're a normal user. We failed to chown the paths to the # Otherwise, we're a normal user. We failed to chown the paths to the
# unprivileged user, but if we have a common group with them, we should # unprivileged user, but if we have a common group with them, we should
# be able to chown it to that. # be able to chown it to that.

View file

@ -470,7 +470,15 @@ class TestActionBase(unittest.TestCase):
action_base._remote_chmod.side_effect = raise_if_plus_a action_base._remote_chmod.side_effect = raise_if_plus_a
assertSuccess() assertSuccess()
# Step 3e: Common group # Step 3e: chmod A+ on Solaris
# We threw AnsibleAuthenticationFailure above, try Solaris fallback.
# Based on our lambda above, it should be successful.
action_base._remote_chmod.assert_called_with(
remote_paths,
'A+user:remoteuser2:r:allow')
assertSuccess()
# Step 3f: Common group
def rc_1_if_chmod_acl(definitely_not_underscore, mode): def rc_1_if_chmod_acl(definitely_not_underscore, mode):
rc = 0 rc = 0
if mode in CHMOD_ACL_FLAGS: if mode in CHMOD_ACL_FLAGS: