mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Note that ZFS's acls won't work with Ansible's secure temp file code.
This commit is contained in:
parent
2b0d0d0323
commit
73fcf9ba6e
1 changed files with 10 additions and 6 deletions
|
@ -138,12 +138,11 @@ Ways to resolve this include:
|
||||||
the remote python interpreter's stdin. Pipelining does not work for
|
the remote python interpreter's stdin. Pipelining does not work for
|
||||||
non-python modules.
|
non-python modules.
|
||||||
|
|
||||||
* (Available in Ansible 2.1) Install filesystem acl support on the managed
|
* (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the
|
||||||
host. If the temporary directory on the remote host is mounted with
|
managed host. If the temporary directory on the remote host is mounted with
|
||||||
filesystem acls enabled and the :command:`setfacl` tool is in the remote
|
POSIX acls enabled and the :command:`setfacl` tool is in the remote ``PATH``
|
||||||
``PATH`` then Ansible will use filesystem acls to share the module file with
|
then Ansible will use POSIX acls to share the module file with the second
|
||||||
the second unprivileged instead of having to make the file readable by
|
unprivileged user instead of having to make the file readable by everyone.
|
||||||
everyone.
|
|
||||||
|
|
||||||
* Don't perform an action on the remote machine by becoming an unprivileged
|
* Don't perform an action on the remote machine by becoming an unprivileged
|
||||||
user. Temporary files are protected by UNIX file permissions when you
|
user. Temporary files are protected by UNIX file permissions when you
|
||||||
|
@ -151,6 +150,11 @@ Ways to resolve this include:
|
||||||
file permissions are also secure if you make the connection to the managed
|
file permissions are also secure if you make the connection to the managed
|
||||||
machine as root and then use ``become`` to an unprivileged account.
|
machine as root and then use ``become`` to an unprivileged account.
|
||||||
|
|
||||||
|
.. warn:: Although the Solaris ZFS filesystem has filesystem ACLs, the ACLs
|
||||||
|
are not POSIX.1e filesystem acls (they are NFSv4 ACLs instead). Ansible
|
||||||
|
cannot use these ACLs to manage its temp file permissions so you may have
|
||||||
|
to resort to ``allow_world_readable_tmpfiles`` if the remote machines use ZFS.
|
||||||
|
|
||||||
.. versionchanged:: 2.1
|
.. versionchanged:: 2.1
|
||||||
|
|
||||||
In addition to the additional means of doing this securely, Ansible 2.1 also
|
In addition to the additional means of doing this securely, Ansible 2.1 also
|
||||||
|
|
Loading…
Reference in a new issue