provides per host/plugin world readable temp opt (#69393)

fixes #46174
2020-05-26 15:29:37 -04:00 · 2020-05-26 15:29:37 -04:00 · c987c0c8a1
commit c987c0c8a1
parent 4aff87770e
3 changed files with 18 additions and 1 deletions
--- a/lib/ansible/config/base.yml
+++ b/lib/ansible/config/base.yml
@ -3,6 +3,10 @@
 ---
 ALLOW_WORLD_READABLE_TMPFILES:
  name: Allow world-readable temporary files
+  deprecated:
+    why: moved to a per plugin approach that is more flexible.
+    version: "2.14"
+    alternatives: mostly the same config will work, but now controlled from the plugin itself and not using the general constant.
  default: False
  description:
    - This makes the temporary files created on the machine world-readable and will issue a warning instead of failing the task.
--- a/lib/ansible/plugins/action/init.py
+++ b/lib/ansible/plugins/action/init.py
@ -538,7 +538,7 @@ class ActionBase(with_metaclass(ABCMeta, object)):
                    raise AnsibleError('Failed to change ownership of the temporary files Ansible needs to create despite connecting as a privileged user. '
                                       'Unprivileged become user would be unable to read the file.')
                elif res['rc'] != 0:
-                    if C.ALLOW_WORLD_READABLE_TMPFILES:
+                    if self.get_shell_option('world_readable_temp', C.ALLOW_WORLD_READABLE_TMPFILES):
                        # chown and fs acls failed -- do things this insecure
                        # way only if the user opted in in the config file
                        display.warning('Using world-readable permissions for temporary files Ansible needs to create when becoming an unprivileged user. '
--- a/lib/ansible/plugins/doc_fragments/shell_common.py
+++ b/lib/ansible/plugins/doc_fragments/shell_common.py
@ -58,4 +58,17 @@ options:
        key: admin_users
    vars:
      - name: ansible_admin_users
+  world_readable_temp:
+    version_added: '2.10'
+    default: False
+    description:
+      - This makes the temporary files created on the machine world-readable and will issue a warning instead of failing the task.
+      - It is useful when becoming an unprivileged user.
+    env:
+      - name: ANSIBLE_SHELL_ALLOW_WORLD_READABLE_TEMP
+    vars:
+      - name: ansible_shell_allow_world_readable_temp
+    ini:
+    - {key: allow_world_readable_tmpfiles, section: defaults}
+    type: boolean
 """