From e526b2ad3d4b345cd3c8c9c610a6605718052a56 Mon Sep 17 00:00:00 2001
From: Christian Schwarz <me@cschwarz.com>
Date: Mon, 1 Aug 2016 19:35:39 +0200
Subject: [PATCH] system/service.py: fix false-positive service enablement on
 FreeBSD. (#4283)

sysrc(8) does not exit with non-zero status when encountering a
permission error.

By using service(8) `service <name> enabled`, we now check the actual
semantics expressed through calling sysrc(8), i.e. we check if the
service enablement worked from the rc(8) system's perspective.

Note that in case service(8) detects the wrong value is still set,
we still output the sysrc(8) output in the fail_json() call:
the user can derive the exact reason of failure from sysrc(8) output.
---
 lib/ansible/modules/system/service.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/ansible/modules/system/service.py b/lib/ansible/modules/system/service.py
index 072f1f1aafa..724f39baa9d 100644
--- a/lib/ansible/modules/system/service.py
+++ b/lib/ansible/modules/system/service.py
@@ -1005,9 +1005,14 @@ class FreeBsdService(Service):
                 if self.module.check_mode:
                     self.module.exit_json(changed=True, msg="changing service enablement")
 
-                rc, stdout, stderr = self.execute_command("%s %s=\"%s\"" % (self.sysrc_cmd, self.rcconf_key, self.rcconf_value ) )
+                rc, change_stdout, change_stderr = self.execute_command("%s %s=\"%s\"" % (self.sysrc_cmd, self.rcconf_key, self.rcconf_value ) )
                 if rc != 0:
-                    self.module.fail_json(msg="unable to set rcvar using sysrc", stdout=stdout, stderr=stderr)
+                    self.module.fail_json(msg="unable to set rcvar using sysrc", stdout=change_stdout, stderr=change_stderr)
+
+                # sysrc does not exit with code 1 on permission error => validate successful change using service(8)
+                rc, check_stdout, check_stderr = self.execute_command("%s %s %s" % (self.svc_cmd, self.name, "enabled"))
+                if self.enable != (rc == 0): # rc = 0 indicates enabled service, rc = 1 indicates disabled service
+                    self.module.fail_json(msg="unable to set rcvar: sysrc did not change value", stdout=change_stdout, stderr=change_stderr)
 
             else:
                 self.changed = False