gitea/ansible.posix
1
0
Fork 0
mirror of https://github.com/ansible-collections/ansible.posix.git synced 2026-06-10 02:25:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #639 from Klaas-/Klaas-fix_authorized_key (#731)

Browse Source 
Fixes #462 notice permission denied on authorized_key module

SUMMARY
As of right now the authorized_key module does not notice on an "absent" if a authorized_keys file is simply not readable to the executing user. I am trying to fix that
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
authorized_key
ADDITIONAL INFORMATION

Execute as a user that does not have access to the root users authorized keys file

- name: Delete key from root user
  ansible.posix.authorized_key:
    state: absent
    user: root
    key: ssh-rsa xxxxxxxx

- name: Delete key from root user
  become: true
  ansible.posix.authorized_key:
    state: absent
    user: root
    key: ssh-rsa xxxxxxxx

The one without become will succeed before my change and will fail with a permission denied error after my change. The 2nd task will actually remove a key from root user if become privileges are available for the executing user

Reviewed-by: Brian Coca
Reviewed-by: Klaas Demter
Reviewed-by: Felix Fontein <felix@fontein.de>
Reviewed-by: Hideki Saito <saito@fgrep.org>
(cherry picked from commit 72a6eb9729)

Co-authored-by: softwarefactory-project-zuul[bot] <33884098+softwarefactory-project-zuul[bot]@users.noreply.github.com>
This commit is contained in:
Hideki Saito
2026-05-18 10:18:52 +09:00
committed by GitHub
parent c163fb089e
commit 714c50bdb7
4 changed files with 61 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
plugins/modules/authorized_key.py
View File

@@ -225,6 +225,8 @@ import os.path
import tempfile
import re
import shlex
import errno
import traceback
from operator import itemgetter
from ansible.module_utils._text import to_native
@@ -475,16 +477,18 @@ def parsekey(module, raw_key, rank=None):
return (key, key_type, options, comment, rank)
def readfile(filename):
if not os.path.isfile(filename):
return ''
f = open(filename)
def readfile(module, filename):
try:
return f.read()
finally:
f.close()
with open(filename, 'r') as f:
return f.read()
except IOError as e:
if e.errno == errno.EACCES:
module.fail_json(msg="Permission denied on file or path for authorized keys file: %s" % filename,
exception=traceback.format_exc())
elif e.errno == errno.ENOENT:
return ''
else:
raise
def parsekeys(module, lines):
@@ -597,7 +601,7 @@ def enforce_state(module, params):
# check current state -- just get the filename, don't create file
do_write = False
params["keyfile"] = keyfile(module, user, do_write, path, manage_dir)
existing_content = readfile(params["keyfile"])
existing_content = readfile(module, params["keyfile"])
existing_keys = parsekeys(module, existing_content)
# Add a place holder for keys that should exist in the state=present and