gitea/ansible.posix
1
0
Fork 0
mirror of https://github.com/ansible-collections/ansible.posix.git synced 2026-06-10 02:25:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #639 from Klaas-/Klaas-fix_authorized_key (#731)

Browse Source 
Fixes #462 notice permission denied on authorized_key module

SUMMARY
As of right now the authorized_key module does not notice on an "absent" if a authorized_keys file is simply not readable to the executing user. I am trying to fix that
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
authorized_key
ADDITIONAL INFORMATION

Execute as a user that does not have access to the root users authorized keys file

- name: Delete key from root user
  ansible.posix.authorized_key:
    state: absent
    user: root
    key: ssh-rsa xxxxxxxx

- name: Delete key from root user
  become: true
  ansible.posix.authorized_key:
    state: absent
    user: root
    key: ssh-rsa xxxxxxxx

The one without become will succeed before my change and will fail with a permission denied error after my change. The 2nd task will actually remove a key from root user if become privileges are available for the executing user

Reviewed-by: Brian Coca
Reviewed-by: Klaas Demter
Reviewed-by: Felix Fontein <felix@fontein.de>
Reviewed-by: Hideki Saito <saito@fgrep.org>
(cherry picked from commit 72a6eb9729)

Co-authored-by: softwarefactory-project-zuul[bot] <33884098+softwarefactory-project-zuul[bot]@users.noreply.github.com>
This commit is contained in:
Hideki Saito
2026-05-18 10:18:52 +09:00
committed by GitHub
parent c163fb089e
commit 714c50bdb7
4 changed files with 61 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
tests/integration/targets/authorized_key/tasks/check_permissions.yml Normal file
View File

@@ -0,0 +1,41 @@
---
# -------------------------------------------------------------
# check permissions
- name: Create a file that is not accessible
ansible.builtin.file:
state: touch
path: "{{ output_dir | expanduser }}/file_permissions"
owner: root
mode: '0000'
- name: Create unprivileged user
ansible.builtin.user:
name: nopriv
create_home: true
- name: Try to delete a key from an unreadable file
become: true
become_user: nopriv
ansible.posix.authorized_key:
user: root
key: "{{ dss_key_basic }}"
state: absent
path: "{{ output_dir | expanduser }}/file_permissions"
register: result
ignore_errors: true
- name: Assert that the key deletion has failed
ansible.builtin.assert:
that:
- result is failed
- name: Remove the file
ansible.builtin.file:
state: absent
path: "{{ output_dir | expanduser }}/file_permissions"
- name: Remove the user
ansible.builtin.user:
name: nopriv
state: absent