1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Note that ZFS's acls won't work with Ansible's secure temp file code.

This commit is contained in:
Toshio Kuratomi 2016-06-17 10:01:11 -07:00
parent 2b0d0d0323
commit 73fcf9ba6e

View file

@ -138,12 +138,11 @@ Ways to resolve this include:
the remote python interpreter's stdin. Pipelining does not work for the remote python interpreter's stdin. Pipelining does not work for
non-python modules. non-python modules.
* (Available in Ansible 2.1) Install filesystem acl support on the managed * (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the
host. If the temporary directory on the remote host is mounted with managed host. If the temporary directory on the remote host is mounted with
filesystem acls enabled and the :command:`setfacl` tool is in the remote POSIX acls enabled and the :command:`setfacl` tool is in the remote ``PATH``
``PATH`` then Ansible will use filesystem acls to share the module file with then Ansible will use POSIX acls to share the module file with the second
the second unprivileged instead of having to make the file readable by unprivileged user instead of having to make the file readable by everyone.
everyone.
* Don't perform an action on the remote machine by becoming an unprivileged * Don't perform an action on the remote machine by becoming an unprivileged
user. Temporary files are protected by UNIX file permissions when you user. Temporary files are protected by UNIX file permissions when you
@ -151,6 +150,11 @@ Ways to resolve this include:
file permissions are also secure if you make the connection to the managed file permissions are also secure if you make the connection to the managed
machine as root and then use ``become`` to an unprivileged account. machine as root and then use ``become`` to an unprivileged account.
.. warn:: Although the Solaris ZFS filesystem has filesystem ACLs, the ACLs
are not POSIX.1e filesystem acls (they are NFSv4 ACLs instead). Ansible
cannot use these ACLs to manage its temp file permissions so you may have
to resort to ``allow_world_readable_tmpfiles`` if the remote machines use ZFS.
.. versionchanged:: 2.1 .. versionchanged:: 2.1
In addition to the additional means of doing this securely, Ansible 2.1 also In addition to the additional means of doing this securely, Ansible 2.1 also