diff --git a/lib/ansible/plugins/shell/__init__.py b/lib/ansible/plugins/shell/__init__.py
index 9285ded4d34..effbddd58ee 100644
--- a/lib/ansible/plugins/shell/__init__.py
+++ b/lib/ansible/plugins/shell/__init__.py
@@ -111,9 +111,28 @@ class ShellBase(object):
     def mkdtemp(self, basefile=None, system=False, mode=None):
         if not basefile:
             basefile = 'ansible-tmp-%s-%s' % (time.time(), random.randint(0, 2**48))
-        basetmp = self.join_path(C.DEFAULT_REMOTE_TMP, basefile)
+
+        # When system is specified we have to create this in a directory where
+        # other users can read and access the temp directory.  This is because
+        # we use system to create tmp dirs for unprivileged users who are
+        # sudo'ing to a second unprivileged user.  The only dirctories where
+        # that is standard are the tmp dirs, /tmp and /var/tmp.  So we only
+        # allow one of those two locations if system=True.  However, users
+        # might want to have some say over which of /tmp or /var/tmp is used
+        # (because /tmp may be a tmpfs and want to conserve RAM or persist the
+        # tmp files beyond a reboot.  So we check if the user set REMOTE_TMP
+        # to somewhere in or below /var/tmp and if so use /var/tmp.  If
+        # anything else we use /tmp (because /tmp is specified by POSIX nad
+        # /var/tmp is not).
         if system:
-            basetmp = self.join_path('/tmp', basefile)
+            if C.DEFAULT_REMOTE_TMP.startswith('/var/tmp'):
+                basetmpdir = '/var/tmp'
+            else:
+                basetmpdir = '/tmp'
+        else:
+            basetmpdir = C.DEFAULT_REMOTE_TMP
+        basetmp = self.join_path(basetmpdir, basefile)
+
         cmd = 'mkdir -p %s echo %s %s' % (self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)
         cmd += ' %s echo %s echo %s %s' % (self._SHELL_AND, self._SHELL_SUB_LEFT, basetmp, self._SHELL_SUB_RIGHT)