lineinfile resets extended acl

[bsolomon1124]

Note: root/UID 0 # prompt has been changed to $ here to help GitHub get markdown shell syntax highlighting right.

SUMMARY

lineinfile removes existing ACL as if setfacl --remove-all had been called on file.

ISSUE TYPE

• Bug Report

COMPONENT NAME

lineinfile

ANSIBLE VERSION

ansible 2.9.13
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Mar 20 2020, 17:08:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

CONFIGURATION

None overriden.

OS / ENVIRONMENT

RHEL 7.9

STEPS TO REPRODUCE

$ whoami
root
$ echo 'foo' > temp.txt
$ chmod 640 temp.txt
$ setfacl -m g:administrators:r temp.txt
$ ls -ld temp.txt
-rw-r-----+ 1 root root 4 Dec  9 21:05 temp.txt

$ getfacl temp.txt
# file: temp.txt
# owner: root
# group: root
user::rw-
group::r--
group:administrators:r--
mask::r--
other::---

$ cat << EOF > toypb.yaml
> - name: test
>   hosts: localhost
>   connection: local
>   gather_facts: false
>   tasks:
>     - lineinfile:
>         path: temp.txt
>         regexp: '^foo'
>         line: bar
>         owner: root
>         group: root
>         mode: 0640
> EOF

$ ansible-playbook toypb.yaml

$ cat temp.txt
bar
$ ls -ld temp.txt
-rw-r-----. 1 root root 4 Dec  9 21:06 temp.txt
$ getfacl !$
getfacl temp.txt
# file: temp.txt
# owner: root
# group: root
user::rw-
group::r--
other::---

EXPECTED RESULTS

Result of getfacl should shown extended read permissions, unchanged before task execution.

ACTUAL RESULTS

$ getfacl temp.txt
# file: temp.txt
# owner: root
# group: root
user::rw-
group::r--
other::---

[ansibot]

Files identified in the description:

• lib/ansible/modules/lineinfile.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[bsolomon1124]

Going to venture a guess this occurs during/as a result of atomic_move(tmpfile, dest) though it claims to "[copy] attributes from dest."

ansible/lib/ansible/module_utils/basic.py

Line 2309 in 0b13cca

def atomic_move(self, src, dest, unsafe_writes=False):

[Shrews]

I'm not a SELinux expert by any means, but it looks to me like if atomic_move() attempts to maintain file SELinux context, but not the ACLs. I'm not totally sure why, but looking at the libselinux library, I'm not seeing any API methods that we'd be able to use to set ACLs. The acl module (now in the ansible.posix collection) uses calls to the setfacl and getfacl command line utilities, maybe because of the library limitations.

One workaround for your issue, then, is to use the acl module mentioned above.

Maybe @bcoca can lend an assist here, since I think he may have more background on how and why atomic_move() works the way it does?

[bsolomon1124]

One workaround for your issue, then, is to use the acl module mentioned above.

Yes, in this case, it seems like we were basically required to follow any lineinfile call with an acl. (I'm not sure what other modules might use atomic_move(), but guessing there are at least a few.)

[samdoran]

Similar to #51868.

[AdrianOsica]

Hi, this bug is still unsolved?

[bcoca]

that is what an open ticket means

[AdrianOsica]

Oh, ok. Fyi bug also affect for me