mirror of https://github.com/ansible/ansible.git
Allow macOS ACLs to work for unpriv -> unpriv (#70785)
Change: - Use `chmod +a` in the fallback chain to allow MacOS to use ACLs to allow an unprivileged user to become an unprivileged user. Test Plan: - CI, new tests Tickets: - Fixes #70648 Signed-off-by: Rick Elrod <rick@elrod.me>pull/71094/head
parent
79f7104556
commit
0d7c144ce4
@ -0,0 +1,2 @@
|
|||||||
|
minor_changes:
|
||||||
|
- When connecting as an unprivileged user, and becoming an unprivileged user, we now fall back to also trying ``chmod +a`` which works on macOS and makes use of ACLs.
|
@ -0,0 +1,26 @@
|
|||||||
|
- name: Tests for chmod +a ACL functionality on macOS
|
||||||
|
hosts: ssh
|
||||||
|
gather_facts: yes
|
||||||
|
remote_user: unpriv1
|
||||||
|
become: yes
|
||||||
|
become_user: unpriv2
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Get AnsiballZ temp directory
|
||||||
|
action: tmpdir
|
||||||
|
register: tmpdir
|
||||||
|
become_user: unpriv2
|
||||||
|
become: yes
|
||||||
|
|
||||||
|
- name: run whoami
|
||||||
|
command: whoami
|
||||||
|
register: whoami
|
||||||
|
|
||||||
|
- name: Ensure we used the right fallback
|
||||||
|
shell: ls -le /var/tmp/ansible*/*_command.py
|
||||||
|
register: ls
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- whoami.stdout == "unpriv2"
|
||||||
|
- "'user:unpriv2 allow read' in ls.stdout"
|
Loading…
Reference in New Issue