* Fix copy module to reset filesystem acls (#51868)
The controller's fixup_perms2 uses filesystem acls to make the temporary
file for copy readable by an unprivileged become user. On Python3, the
acls are then copied to the destination filename so we have to remove
them from there.
We can't remove them prior to the copy because we may not have
permission to read the file if the acls are not present. We can't
remove them in atomic_move() because the move function shouldn't know
anything about controller features. We may want to generalize this into
a helper function, though.
Fixes#44412
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
(cherry picked from commit d15812fabf)
* Fix get_bin_path usage
* Catch all request timeouts for winrm connection
The current implementation only catches 'ConnectTimeout' exceptions.
Instead we should catch 'Timout' which also catches ReadTimeout
exceptions.
Improves on: #51744
Co-Authored-By: westphahl <westphahl@gmail.com>
* Changelog for winrm error handling improvement
* Revert "allow caller to deal with timeout (#49449)"
This reverts commit 63279823a7.
Flawed on many levels
* Adds poor API to a public function
* Papers over the fact that the public function is doing something bad
by catching exceptions it cannot handle in the first place
* Papers over the real cause of the issue which is a bug in the timeout
decorator
* Doesn't reraise properly
* Catches the wrong exception
Fixes#49824Fixes#49817
* Make the timeout decorator properly raise an exception outside of the function's scope
signal handlers which raise exceptions will never work well because the
exception can be raised anywhere in the called code. This leads to
exception race conditions where the exceptions could end up being
hanlded by unintended pieces of the called code.
The timeout decorator was using just that idiom. It was especially bad
because the decorator syntactically occurs outside of the called code
but because of the signal handler, the exception was being raised inside
of the called code.
This change uses a thread instead of a signal to manage the timeout in
parallel to the execution of the decorated function. Since raising of
the exception happens inside of the decorator, now, instead of inside of
a signal handler, the timeout exception is raised from outside of the
called code as expected which makes reasoning about where exceptions are
to be expected intuitive again.
Fixes#43884
* Add a common case test.
Adding an integration test driven from our unittests. Most of the time
we'll timeout in run_command which is running things in a subprocess.
Create a test for that specific case in case anything funky comes up
between threading and execve.
* Don't use OSError-based TimeoutError as a base class
Unlike most standard exceptions, OSError has a specific parameter list
with specific meanings. Instead follow the example of other stdlib
functions, concurrent.futures and multiprocessing and define a separate
TimeoutException.
* Add comment and docstring to point out that this is not hte Python3 TimeoutError
(cherry picked from commit bd072fe83a)
In pyyaml versions before 5.1 the default_flow_style for yaml.dump
was None. Starting with 5.1 it is now False. This change explicitly
sets the value to None to maintain the original to_yaml behavior.
The change to pyyaml was made in the following commit:
507a464ce6
(cherry picked from commit 7f0e09aa31)
Co-authored-by: Matt Clay <matt@mystile.com>
* Fixed crash with hidden files
added "-force" parameter on "Get-Item" cmdlet. this is needed to get file info if the file is "hidden"
without this option modules like win_file, win_template, win_copy crashes on hidden files. this is because with "test-path" it sees that the file exists, but "get-item" can't get the file info.
for more information on "-force option": https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-item
* Add changelog and integration tests
* fix tests for older Windows versions
(cherry picked from commit 3bc474bf99)
* win_domain: fix issue when running without credential delegation
* Add check for reboot is required to complete role e install
* Fix changelog sanity issue
* removed meta file accidentally committed
(cherry picked from commit 008db85d44)
* mysql_user: Match quotes, double quotes and backticks when checking current privileges
(cherry picked from commit 1ae0e21383)
* Add changelog fragment for PR #40092
(cherry picked from commit 8974ce3c78)
* mysql_user: fix malformed regex used to check current privileges
* Raise AnsibleConnectionError on winrm con errors
Currently all uncaught exceptions of the requests library that is used
in winrm will lead to an "Unexpected failure during module execution".
Instead of letting all exceptions bubble up we catch the connection
related errors (inkl. timeouts) and re-raise them as
AnsibleConnectionError so Ansible will mark the host as unreachable and
exit with the correct return code.
This is especially important for Zuul (https://zuul-ci.org) to
distinguish between failures and connection/host related errors.
* Update lib/ansible/plugins/connection/winrm.py
Co-Authored-By: westphahl <westphahl@gmail.com>
* Add changelog fragment
* Disallow use of remote home directories containing .. in their path
* Add CVE to changelog
(cherry picked from commit b34d141)
Co-authored-by: Matt Martz <matt@sivel.net>
This is an implementation of 8bffcf8e50
that was done in the PR https://github.com/ansible/ansible/pull/48082 to devel.
The changes have been manually brought across to the the stable-2.7 branch as it
cannot be cleanly cherry picked due to the substantial differences in become
between these versions.
Currently we impersonate the `SYSTEM` token in order to elevate our become
process with the highest privileges it has available but there are some edge
cases where the first `SYSTEM` token we come across doesn't have the
`SeTcbPrivilege` which is required for the above. This PR adds a further check
in the search for a `SYSTEM` token to make sure it has the `SeTcbPrivilege`
before continuing.
(cherry picked from commit cc5088c9e1)
Toshio Kuratomi