Fix copy module to reset filesystem acls (#51868)

The controller's fixup_perms2 uses filesystem acls to make the temporary file for copy readable by an unprivileged become user. On Python3, the acls are then copied to the destination filename so we have to remove them from there. We can't remove them prior to the copy because we may not have permission to read the file if the acls are not present. We can't remove them in atomic_move() because the move function shouldn't know anything about controller features. We may want to generalize this into a helper function, though. Fixes #44412 Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
2025-05-21 08:29:08 -07:00 · 2019-04-03 18:37:59 +02:00 · 2019-04-03 18:37:59 +02:00 · d15812fabf
commit d15812fabf
parent 40507220b4
6 changed files with 131 additions and 4 deletions
--- a/lib/ansible/plugins/action/init.py
+++ b/lib/ansible/plugins/action/init.py
@ -407,6 +407,20 @@ class ActionBase(with_metaclass(ABCMeta, object)):
                self._connection._shell.tmpdir = None

    def _transfer_file(self, local_path, remote_path):
+        """
+        Copy a file from the controller to a remote path
+
+        :arg local_path: Path on controller to transfer
+        :arg remote_path: Path on the remote system to transfer into
+
+        .. warning::
+            * When you use this function you likely want to use use fixup_perms2() on the
+              remote_path to make sure that the remote file is readable when the user becomes
+              a non-privileged user.
+            * If you use fixup_perms2() on the file and copy or move the file into place, you will
+              need to then remove filesystem acls on the file once it has been copied into place by
+              the module.  See how the copy module implements this for help.
+        """
        self._connection.put_file(local_path, remote_path)
        return remote_path