ansible/test/integration/targets/copy/tasks/acls.yml

- block:
  - block:
    - name: Testing ACLs
      copy:
        content: "TEST"
        mode: 0644
        dest: "~/test.txt"

    - shell: getfacl ~/test.txt
      register: acls

    become: yes
    become_user: "{{ remote_unprivileged_user }}"

  - name: Check that there are no ACLs leftovers
    assert:
      that:
        - "'user:{{ remote_unprivileged_user }}:r-x\t#effective:r--' not in acls.stdout_lines"

  - name: Check that permissions match with what was set in the mode param
    assert:
      that:
        - "'user::rw-' in acls.stdout_lines"
        - "'group::r--' in acls.stdout_lines"
        - "'other::r--' in acls.stdout_lines"

  always:
    - name: Clean up
      file:
        path: "~/test.txt"
        state: absent
      become: yes
      become_user: "{{ remote_unprivileged_user }}"
Fix copy module to reset filesystem acls (#51868) The controller's fixup_perms2 uses filesystem acls to make the temporary file for copy readable by an unprivileged become user. On Python3, the acls are then copied to the destination filename so we have to remove them from there. We can't remove them prior to the copy because we may not have permission to read the file if the acls are not present. We can't remove them in atomic_move() because the move function shouldn't know anything about controller features. We may want to generalize this into a helper function, though. Fixes #44412 Co-authored-by: Toshio Kuratomi <a.badger@gmail.com> 6 years ago			`- block:`
			`- block:`
			`- name: Testing ACLs`
			`copy:`
			`content: "TEST"`
			`mode: 0644`
			`dest: "~/test.txt"`

			`- shell: getfacl ~/test.txt`
			`register: acls`

			`become: yes`
			`become_user: "{{ remote_unprivileged_user }}"`

			`- name: Check that there are no ACLs leftovers`
			`assert:`
			`that:`
			`- "'user:{{ remote_unprivileged_user }}:r-x\t#effective:r--' not in acls.stdout_lines"`

			`- name: Check that permissions match with what was set in the mode param`
			`assert:`
			`that:`
			`- "'user::rw-' in acls.stdout_lines"`
			`- "'group::r--' in acls.stdout_lines"`
			`- "'other::r--' in acls.stdout_lines"`

			`always:`
			`- name: Clean up`
			`file:`
			`path: "~/test.txt"`
			`state: absent`
			`become: yes`
			`become_user: "{{ remote_unprivileged_user }}"`