From c987c0c8a1c18be7a35157e9c75dcd2cdbdad003 Mon Sep 17 00:00:00 2001 From: Brian Coca Date: Tue, 26 May 2020 15:29:37 -0400 Subject: [PATCH] provides per host/plugin world readable temp opt (#69393) fixes #46174 --- lib/ansible/config/base.yml | 4 ++++ lib/ansible/plugins/action/__init__.py | 2 +- lib/ansible/plugins/doc_fragments/shell_common.py | 13 +++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml index 7029c651894..ff61e99def7 100644 --- a/lib/ansible/config/base.yml +++ b/lib/ansible/config/base.yml @@ -3,6 +3,10 @@ --- ALLOW_WORLD_READABLE_TMPFILES: name: Allow world-readable temporary files + deprecated: + why: moved to a per plugin approach that is more flexible. + version: "2.14" + alternatives: mostly the same config will work, but now controlled from the plugin itself and not using the general constant. default: False description: - This makes the temporary files created on the machine world-readable and will issue a warning instead of failing the task. diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index aa001c405bf..e30ba0d9026 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -538,7 +538,7 @@ class ActionBase(with_metaclass(ABCMeta, object)): raise AnsibleError('Failed to change ownership of the temporary files Ansible needs to create despite connecting as a privileged user. ' 'Unprivileged become user would be unable to read the file.') elif res['rc'] != 0: - if C.ALLOW_WORLD_READABLE_TMPFILES: + if self.get_shell_option('world_readable_temp', C.ALLOW_WORLD_READABLE_TMPFILES): # chown and fs acls failed -- do things this insecure # way only if the user opted in in the config file display.warning('Using world-readable permissions for temporary files Ansible needs to create when becoming an unprivileged user. ' diff --git a/lib/ansible/plugins/doc_fragments/shell_common.py b/lib/ansible/plugins/doc_fragments/shell_common.py index d3b78e12ac0..a80e7f71476 100644 --- a/lib/ansible/plugins/doc_fragments/shell_common.py +++ b/lib/ansible/plugins/doc_fragments/shell_common.py @@ -58,4 +58,17 @@ options: key: admin_users vars: - name: ansible_admin_users + world_readable_temp: + version_added: '2.10' + default: False + description: + - This makes the temporary files created on the machine world-readable and will issue a warning instead of failing the task. + - It is useful when becoming an unprivileged user. + env: + - name: ANSIBLE_SHELL_ALLOW_WORLD_READABLE_TEMP + vars: + - name: ansible_shell_allow_world_readable_temp + ini: + - {key: allow_world_readable_tmpfiles, section: defaults} + type: boolean """