From 73fcf9ba6ed6cf759bf34cc437fdad84c2693736 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Fri, 17 Jun 2016 10:01:11 -0700 Subject: [PATCH] Note that ZFS's acls won't work with Ansible's secure temp file code. --- docsite/rst/become.rst | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/docsite/rst/become.rst b/docsite/rst/become.rst index 06606a5934e..4044e01f9ad 100644 --- a/docsite/rst/become.rst +++ b/docsite/rst/become.rst @@ -138,12 +138,11 @@ Ways to resolve this include: the remote python interpreter's stdin. Pipelining does not work for non-python modules. -* (Available in Ansible 2.1) Install filesystem acl support on the managed - host. If the temporary directory on the remote host is mounted with - filesystem acls enabled and the :command:`setfacl` tool is in the remote - ``PATH`` then Ansible will use filesystem acls to share the module file with - the second unprivileged instead of having to make the file readable by - everyone. +* (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the + managed host. If the temporary directory on the remote host is mounted with + POSIX acls enabled and the :command:`setfacl` tool is in the remote ``PATH`` + then Ansible will use POSIX acls to share the module file with the second + unprivileged user instead of having to make the file readable by everyone. * Don't perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you @@ -151,6 +150,11 @@ Ways to resolve this include: file permissions are also secure if you make the connection to the managed machine as root and then use ``become`` to an unprivileged account. +.. warn:: Although the Solaris ZFS filesystem has filesystem ACLs, the ACLs + are not POSIX.1e filesystem acls (they are NFSv4 ACLs instead). Ansible + cannot use these ACLs to manage its temp file permissions so you may have + to resort to ``allow_world_readable_tmpfiles`` if the remote machines use ZFS. + .. versionchanged:: 2.1 In addition to the additional means of doing this securely, Ansible 2.1 also