diff options
| author | Martin Krizek <martin.krizek@gmail.com> | 2019-04-03 18:37:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-04-03 18:37:59 +0200 |
| commit | d15812fabf7113c89633ffe530140a3e52f203d3 (patch) | |
| tree | 0b6c0bcad9fc7cedf7b77dc6c0117c29599c9653 /test | |
| parent | asa: Not all modules will have 'passwords' and 'context' keys (#54783) (diff) | |
| download | ansible-d15812fabf7113c89633ffe530140a3e52f203d3.tar.xz ansible-d15812fabf7113c89633ffe530140a3e52f203d3.zip | |
Fix copy module to reset filesystem acls (#51868)
The controller's fixup_perms2 uses filesystem acls to make the temporary
file for copy readable by an unprivileged become user. On Python3, the
acls are then copied to the destination filename so we have to remove
them from there.
We can't remove them prior to the copy because we may not have
permission to read the file if the acls are not present. We can't
remove them in atomic_move() because the move function shouldn't know
anything about controller features. We may want to generalize this into
a helper function, though.
Fixes #44412
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/integration/targets/copy/tasks/acls.yml | 33 | ||||
| -rw-r--r-- | test/integration/targets/copy/tasks/main.yml | 3 |
2 files changed, 36 insertions, 0 deletions
diff --git a/test/integration/targets/copy/tasks/acls.yml b/test/integration/targets/copy/tasks/acls.yml new file mode 100644 index 0000000000..9a3be9b064 --- /dev/null +++ b/test/integration/targets/copy/tasks/acls.yml @@ -0,0 +1,33 @@ +- block: + - block: + - name: Testing ACLs + copy: + content: "TEST" + mode: 0644 + dest: "~/test.txt" + + - shell: getfacl ~/test.txt + register: acls + + become: yes + become_user: "{{ remote_unprivileged_user }}" + + - name: Check that there are no ACLs leftovers + assert: + that: + - "'user:{{ remote_unprivileged_user }}:r-x\t#effective:r--' not in acls.stdout_lines" + + - name: Check that permissions match with what was set in the mode param + assert: + that: + - "'user::rw-' in acls.stdout_lines" + - "'group::r--' in acls.stdout_lines" + - "'other::r--' in acls.stdout_lines" + + always: + - name: Clean up + file: + path: "~/test.txt" + state: absent + become: yes + become_user: "{{ remote_unprivileged_user }}" diff --git a/test/integration/targets/copy/tasks/main.yml b/test/integration/targets/copy/tasks/main.yml index e1ae5a46b6..f1861ea7f8 100644 --- a/test/integration/targets/copy/tasks/main.yml +++ b/test/integration/targets/copy/tasks/main.yml @@ -58,6 +58,9 @@ - import_tasks: tests.yml remote_user: '{{ remote_unprivileged_user }}' + - import_tasks: acls.yml + when: ansible_system == 'Linux' + always: - name: Cleaning file: |