os.chdir fails if the sudo/become user lacks adequate permissions to chdir prior to task #636
Description
- Which version of Ansible are you running?
2.8.2 - Is your version of Ansible patched in any way?
No - Are you running with any custom modules, or
module_utilsloaded?
No - Have you tried the latest master version from Git?
Yes - Do you have some idea of what the underlying problem may be?
os.chdir in runner.py does not check for permissions before attempting chdir. If permissions for the sudo user prohibit access to the cwd, then the task fails. - Mention your host and target OS and versions
CentOS 7.6.1810 - Mention your host and target Python versions
CentOS stock, 2.7.5 - If reporting a crash or hang in Ansible...
[task 12337] 13:59:35.925665 D mitogen.parent: starting no-reply function call to u'local.12340.sudo.postgres': mitogen.core.Dispatcher.forget_chain('testing.apisnetworks.com-12337-7f773bdb9740-5907c1a563401')
[mux 12303] 13:59:35.926584 D ansible_mitogen.services: decrementing reference count for Context(4, u'local.12340.sudo.postgres')
[task 12337] 13:59:35.926955 D mitogen: MitogenProtocol(unix_listener.12303): disconnecting
[task 12337] 13:59:35.927252 D mitogen: Waker(fd=11/12): disconnecting
[task 12337] 13:59:35.927629 D mitogen: Router(Broker(7e50)): stats: 0 module requests in 0 ms, 0 sent (0 ms minify time), 0 negative responses. Sent 0.0 kb total, 0.0 kb avg.
[mux 12303] 13:59:35.929497 D mitogen: <Side of unix_client.12337 fd 76>: empty read, disconnecting
[mux 12303] 13:59:35.929760 D mitogen: MitogenProtocol(unix_client.12337): disconnecting
[mux 12303] 13:59:35.930372 D mitogen.[local.12340.sudo.postgres]: Dispatcher: dispatching (None, u'mitogen.core', u'Dispatcher', u'forget_chain', ('testing.apisnetworks.com-12337-7f773bdb9740-5907c1a563401',), Kwargs({}))
[mux 12303] 13:59:35.930643 D mitogen.[local.12340.sudo.postgres]: Dispatcher: Message(4, 1, 0, 101, 0, '\x80\x02(NX\x0c\x00\x00\x00mitogen.coreX\n\x00\x00\x00Dispatcherq\x01X\x0c\x00\x00\x00forget_'..151) -> None
[mux 12303] 13:59:35.933657 D mitogen.service.[local.12340]: Pool(6a10, size=2, th='MainThread'): initialized
The full traceback is:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 144, in run
res = self._execute()
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 648, in _execute
result = self._handler.run(task_vars=variables)
File "/usr/lib/python2.7/site-packages/ansible_mitogen/mixins.py", line 116, in run
return super(ActionModuleMixin, self).run(tmp, task_vars)
File "/usr/lib/python2.7/site-packages/ansible/plugins/action/normal.py", line 46, in run
result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
File "/usr/lib/python2.7/site-packages/ansible_mitogen/mixins.py", line 359, in _execute_module
timeout_secs=self.get_task_timeout_secs(),
File "/usr/lib/python2.7/site-packages/ansible_mitogen/planner.py", line 503, in invoke
kwargs=planner.get_kwargs(),
File "/usr/lib/python2.7/site-packages/ansible_mitogen/connection.py", line 445, in call
return self._rethrow(recv)
File "/usr/lib/python2.7/site-packages/ansible_mitogen/connection.py", line 431, in _rethrow
return recv.get().unpickle()
File "/usr/lib/python2.7/site-packages/mitogen/core.py", line 963, in unpickle
raise obj
CallError: exceptions.OSError: [Errno 13] Permission denied: '/usr/local/apnscp/resources/playbooks'
File "<stdin>", line 3661, in _dispatch_one
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/target.py", line 422, in run_module
return impl.run()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 440, in run
self.setup()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 850, in setup
super(NewStyleRunner, self).setup()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 623, in setup
super(ProgramRunner, self).setup()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 374, in setup
self._setup_cwd()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 384, in _setup_cwd
os.chdir(self.cwd)
fatal: [localhost]: FAILED! => {
"msg": "Unexpected failure during module execution.",
"stdout": ""
}
- If reporting any kind of problem with Ansible, please include the Ansible
version along with output of "ansible-config dump --only-changed".# ansible-config dump --only-changed DEFAULT_STRATEGY(/usr/local/apnscp/resources/playbooks/ansible.cfg) = mitogen_linear DEFAULT_STRATEGY_PLUGIN_PATH(/usr/local/apnscp/resources/playbooks/ansible.cfg) = [u'/usr/lib/python2.7/site-packages/ansible_mitogen/plugins/strategy']
Sample play to reproduce the behavior:
---
- hosts: localhost
gather_facts: no
tasks:
- name: Become bug
become_user: postgres
become: True
postgresql_user: name=testuser password=abc db=template1 encrypted=yes
register: user_changedVerification of the permissions:
sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
ls: cannot access /usr/local/apnscp/resources/playbooks/: Permission denied
Then if we change permissions to allow access by user "postgres":
chmod 711 /usr/local/apnscp/
sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
# ls succeeds
Likewise the play completes as expected:
changed: [localhost] => {
"changed": true,
"invocation": {
"module_args": {
"ca_cert": null,
"conn_limit": null,
"db": "template1",
"encrypted": true,
"expires": null,
"fail_on_user": true,
"login_host": "",
"login_password": "",
"login_unix_socket": "",
"login_user": "postgres",
"name": "testuser",
"no_password_changes": false,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 5432,
"priv": null,
"role_attr_flags": "",
"session_role": null,
"ssl_mode": "prefer",
"state": "present",
"user": "testuser"
}
},
"queries": [
"CREATE USER \"testuser\" WITH ENCRYPTED PASSWORD %(password)s "
],
"user": "testuser"
}