diff options
author | Nils Steinger <git@n-st.de> | 2016-04-11 22:52:31 +0200 |
---|---|---|
committer | Nils Steinger <git@n-st.de> | 2016-04-11 22:52:31 +0200 |
commit | 7b1373480e2c56b6ab1c8f94241873ff87f9f95d (patch) | |
tree | 9c6705b8976d18e6379e291649be897443d618da | |
parent | 005dc84aa744c1cb71995d4f554fb946c19d1bc6 (diff) | |
download | ansible-7b1373480e2c56b6ab1c8f94241873ff87f9f95d.tar.gz |
Don't rely on username to check for root privileges
The SSH username isn't a reliable way to check if we've got root privileges on
the remote system (think "toor" on FreeBSD). Because of this check, Ansible
previously tried to use the fallback solutions for granting file access (ACLs,
world-readable files) even on systems where it had root privileges when the
remote username didn't match the literal string "root".
Instead of running checks on the username, just try using `chmod` in any case
and fall back to the previous "non-root" solution when that fails.
-rw-r--r-- | lib/ansible/plugins/action/__init__.py | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py index 067f608106..9b6b7aedcf 100644 --- a/lib/ansible/plugins/action/__init__.py +++ b/lib/ansible/plugins/action/__init__.py @@ -311,18 +311,23 @@ class ActionBase(with_metaclass(ABCMeta, object)): if self._play_context.become and self._play_context.become_user not in ('root', remote_user): # Unprivileged user that's different than the ssh user. Let's get # to work! - if remote_user == 'root': - # SSh'ing as root, therefore we can chown - res = self._remote_chown(remote_path, self._play_context.become_user, recursive=recursive) - if res['rc'] != 0: - raise AnsibleError('Failed to set owner on remote files (rc: {0}, err: {1})'.format(res['rc'], res['stderr'])) + + # Try chown'ing the file. This will only work if our SSH user has + # root privileges, but since we can't reliably determine that from + # the username (think "toor" on FreeBSD), let's just try first and + # apologize later: + res = self._remote_chown(remote_path, self._play_context.become_user, recursive=recursive) + if res['rc'] == 0: + # Only continue with chmod if chown worked if execute: # root can read things that don't have read bit but can't # execute them. res = self._remote_chmod('u+x', remote_path, recursive=recursive) if res['rc'] != 0: raise AnsibleError('Failed to set file mode on remote files (rc: {0}, err: {1})'.format(res['rc'], res['stderr'])) + else: + # Chown'ing failed. We're probably lacking root privileges; let's try something else. if execute: mode = 'rx' else: |