Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

synchronize module ignores become_user when become in effect #186

Closed
smemsh opened this issue May 12, 2021 · 2 comments · Fixed by #187
Closed

synchronize module ignores become_user when become in effect #186

smemsh opened this issue May 12, 2021 · 2 comments · Fixed by #187
Labels
bug This issue/PR relates to a bug. has_pr

Comments

@smemsh
Copy link
Contributor

smemsh commented May 12, 2021

SUMMARY

The synchronize module always writes files as root if become is in effect and become_method is sudo, regardless of the specified become_user. It should write files as the become_user. This is quite unexpected to write the file with a different user than the one specified, and contradicts the documentation for the module:

The user and permissions for the synchronize dest are those of the remote_user on the destination host or the become_user if become=yes is active.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

synchronize

ANSIBLE VERSION
 $ ansible --version
ansible 2.10.9
  config file = /home/scott/src/setup/.ansible.cfg
  configured module search path = ['/home/scott/src/setup/lib']
  ansible python module location = /home/scott/src/setup/venv/lib/python3.9/site-packages/ansible
  executable location = /home/scott/src/setup/venv/bin/ansible
  python version = 3.9.5 (tags/v3.9.5:0a7dcbdb13, May  4 2021, 16:51:37) [GCC 9.3.0]
CONFIGURATION
OS / ENVIRONMENT

recent linux on client and server

STEPS TO REPRODUCE
$ ssh scott@scott rm -f testfile
$ rm -f empty.cfg testfile
$ touch empty.cfg testfile
$ ANSIBLE_CONFIG=empty.cfg \
  env -i PATH=$PATH SSH_AUTH_SOCK=$SSH_AUTH_SOCK \
  `which ansible` \
      -b --become-user=scott \
      -i scott, \
      -m synchronize \ 
      -a "src=testfile dest=/home/scott/ archive=false" \
      scott \
   && ssh scott stat -c %U:%G testfile
EXPECTED RESULTS

remote file should be owned by scott:scott as shown by stat command

ACTUAL RESULTS
scott | CHANGED => {
    "changed": true,
    "cmd": "/usr/local/bin/rsync --delay-updates -F --compress --rsh=/usr/bin/ssh -S none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null --rsync-path=sudo rsync --out-format=<<CHANGED>>%i %n%L /home/scott/src/setup/testfile scott:/home/scott/",
    "msg": "<f+++++++++ testfile\n",
    "rc": 0,
    "stdout_lines": [
        "<f+++++++++ testfile"
    ]
}

$ ssh scott@scott stat -c %U:%G testfile
root:root
@smemsh smemsh mentioned this issue May 12, 2021
Merged
@frittentheke frittentheke mentioned this issue May 16, 2021
Closed
@Akasurde
Copy link
Member

Akasurde commented Jun 3, 2021

resolved_by_pr #187

@Akasurde Akasurde added bug This issue/PR relates to a bug. has_pr labels Jun 3, 2021
@frittentheke
Copy link

resolved_by_pr #187

It's not merged yet.

ansible-zuul bot added a commit that referenced this issue Jul 8, 2021
@ansible-zuul
Merge pull request #187 from smemsh/fix-synchronize-become-user
f6fa00b 
synchronize: fix to honor become_user when become_method sudo

SUMMARY

When become_method is sudo, the synchronize module ignores become_user, always running as root.  This means one cannot create files as a target user, when they need to get in via a third user and can only sudo via that one.  In my case, I'm connecting via a special provisioning user that has sudo privs, but I need to create the files as the become_user.  I'm using it to deposit skeleton files, and there should be no reason to run another task with chown; after all, the documentation already describes the desired behavior:

The user and permissions for the synchronize dest are those of the remote_user on the destination host or the become_user if become=yes is active.

This patch takes the running become_user (if it's not None) and adds it to the sudo command with the -u command line option, so the file gets created correctly.  I have tested this and it works.
Other become_methods are ignored, but they already were anyways (the code already has a TODO to add other methods, which we don't attempt in this patch)
Fixes #186

ISSUE TYPE


Bugfix Pull Request

COMPONENT NAME

synchronize
ADDITIONAL INFORMATION


See reproduction in #186.
This appears to have been in place since ansible/ansible@811a906

Reviewed-by: Amin Vakil <[email protected]>
Reviewed-by: Sumit Jaiswal <[email protected]>
@renovate renovate bot mentioned this issue Aug 25, 2021
Merged
1 task
@renovate renovate bot mentioned this issue Apr 19, 2022
Merged
1 task
This was referenced Aug 19, 2022
Closed
Closed
This was referenced Sep 14, 2022
Closed
Closed
@renovate-tests renovate-tests mentioned this issue Nov 24, 2022
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug. has_pr
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

synchronize: fix to honor become_user when become_method sudo
3 participants
@Akasurde @smemsh @frittentheke