Comments (5)
@alorence, thank you for reporting this issue, sorry for the late reply. I think there are two ways to resolve this issue.
- Run this specific role as a privileged user e.g.:
- hosts: servers
roles:
- role: gantsign.oh-my-zsh
become: yes
users:
- username: example
Note: I haven't been able to fully test this but it should be the simplest solution.
- Grant your non-privileged Ansible user sufficient permissions.
I tried the following instructions for testing using a non-privileged user with Molecule https://molecule.readthedocs.io/en/stable/examples.html#docker-with-non-privileged-user and I was able to successfully execute this role. Note: you may want to restrict the sudo permissions (the example grants ALL
sudo permissions).
Unfortunately, Ansible doesn't provide a clean solution for this issue at the moment and the current implementation of this role has proven to be the least worst option.
from ansible-role-oh-my-zsh.
Thank you very much for answering.
Unfortunately, Solution 1 is not applicable in my case. Remotes I work on forbid root SSH connection for security reasons.
The solution 2 may work, but I must admit I am confused with "privileged" and "non-privileged" terms. What does they mean ? The administrative user who performs all tasks is in "wheel" group (RedHat based systems) or "sudo" group (Debian based systems). What sould I do to grant this user the suficient permissions that will allow him to write a file in another user's home directory ?
from ansible-role-oh-my-zsh.
FYI: You don't need to SSH to a remote as root
if the user you use for your SSH connection has permissions to execute commands as if they are root
(e.g. using sudo
).
If you're coming from a Windows background think of a "privileged" user as a user with Administrator permissions and a "non-privileged" user as an ordinary user without Administrator permissions. Administrator permissions allow you to install software and edit other users files etc.
Most Linux distributions use sudo (super-user do) as a way of allowing a user with low permissions to perform actions as other users with higher/different permissions (e.g. root
). This is normally what Ansible uses when you use become
and become_user
.
By default, users are not able to use sudo
, access is granted by editing files in /etc/sudoers.d
, editing the /etc/sudoers
file or assigning the user to groups who have been granted permission to use sudo
.
"Variable SUDO_GROUP depends on distribution wheel is used on centos:7." means if your Linux distribution has a default group for users with permission to use sudo
to use that group name (e.g. the group name is wheel
on centos:7
and sudo
on Ubuntu:16.04
).
Configuring specific permissions for sudo
isn't easy, see https://www.sudo.ws/man/1.8.27/sudoers.man.html. If you're using sudo
on you desktop machine you're almost certainly granted ALL
permissions, which is a lot easier to setup.
For this role, you'll need permissions to install software using the package manager (e.g. zsh
and git
). You'll need permission to run git
on behalf of the users you want to install Oh My Zsh for. Change file permissions for that user, change the default shell, and write the .zshrc
.
One thing to be aware of is security professionals will object to installing Oh My Zsh on servers (particularly production). So if you need them to grant you extra permissions they'll likely say no.
from ansible-role-oh-my-zsh.
Unfortunately, a non-root user cannot write .zshrc file inside home directory of another user, even if it is in sudo
or wheel
group. Cloning .oh-my-zsh diretory works, changing default shell works, but any module that upload a file and change permission will not, as explained in ansible docs:
Pipelining does not work for python modules involving file transfer (for example: copy, fetch, template), or for non-python modules
I re-checked this with a very simple example. I started a fresh Debian Stretch server on Amazon EC2. By default, this server comes with SSH root dissabled, and an admin
user that can do anithing using passwordless sudo
.
I ran this playbook:
---
- hosts: all
remote_user: admin
become: yes
vars:
ansible_become_password_default: ""
users:
- username: admin
oh_my_zsh:
theme: tjkirch
plugins:
- git
- themes
- username: random_user
oh_my_zsh:
theme: jtriley
plugins:
- debian
- virtualenv
roles:
- create_users
- gantsign.oh-my-zsh
with this custom role in roles/create_users/tasks/main.yml
---
- name: Create user {{ item.username }}
user:
state: present
name: "{{ item.username }}"
system: no
append: yes
with_items: "{{ users }}"
See the result:
ansible-playbook -i ec2.hosts setup_zsh.yml
PLAY [all] **********************************************
TASK [Gathering Facts] **********************************
ok: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com]
TASK [create_users : Create user {{ item.username }}] ****************
ok: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'admin', 'oh_my_zsh': {'theme': 'tjkirch', 'plugins': ['git', 'themes']}})
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'random_user', 'oh_my_zsh': {'theme': 'jtriley', 'plugins': ['debian', 'virtualenv']}})
TASK [gantsign.oh-my-zsh : install dependencies] ****************
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item=git)
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item=zsh)
[WARNING]: Updating cache and auto-installing missing dependency: python-apt
[WARNING]: Could not find aptitude. Using apt-get instead
TASK [gantsign.oh-my-zsh : clone oh-my-zsh for users] ****************
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'admin', 'oh_my_zsh': {'theme': 'tjkirch', 'plugins': ['git', 'themes']}})
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'random_user', 'oh_my_zsh': {'theme': 'jtriley', 'plugins': ['debian', 'virtualenv']}})
TASK [gantsign.oh-my-zsh : set permissions of oh-my-zsh for users] ****************
ok: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'admin', 'oh_my_zsh': {'theme': 'tjkirch', 'plugins': ['git', 'themes']}})
ok: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'random_user', 'oh_my_zsh': {'theme': 'jtriley', 'plugins': ['debian', 'virtualenv']}})
TASK [gantsign.oh-my-zsh : set default shell for users] ****************
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'admin', 'oh_my_zsh': {'theme': 'tjkirch', 'plugins': ['git', 'themes']}})
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'random_user', 'oh_my_zsh': {'theme': 'jtriley', 'plugins': ['debian', 'virtualenv']}})
TASK [gantsign.oh-my-zsh : write .zshrc for users] ****************
changed: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com] => (item={'username': 'admin', 'oh_my_zsh': {'theme': 'tjkirch', 'plugins': ['git', 'themes']}})
fatal: [ec2-15-188-47-86.eu-west-3.compute.amazonaws.com]: FAILED! => {}
MSG:
Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership
of '/var/tmp/ansible-tmp-1569837824.9828672-165693995545428/': Operation not permitted
chown: changing ownership of '/var/tmp/ansible-tmp-1569837824.9828672-165693995545428/source': Operation not permitted
}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
PLAY RECAP ****************
ec2-15-188-47-86.eu-west-3.compute.amazonaws.com : ok=7 changed=4 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
So apparently, a privileged user (admin
in this case) cannot update the owner of the temp file to another unprivileged user.
When I encounter this issue in my own roles, I often update the task to use owner
and group
arguments of the template
module.
from ansible-role-oh-my-zsh.
Sorry, it doesn't look like I can fix this without breaking other users or greatly complicating the implementation, I suggest you fork the role.
from ansible-role-oh-my-zsh.
Related Issues (20)
- Error when installing role on OSX HOT 1
- Does not work as expected HOT 2
- Feature Request: Custom plugin installation HOT 5
- Prexis the users variable HOT 1
- Customising .zshrc HOT 2
- Disabled updated HOT 6
- how to install ohmyzsh for users using loop? HOT 3
- change in theme/plugins doesn't make it to .zshrc HOT 3
- Whitelist Dependabot in cla-assistant
- Missing acl package in oh_my_zsh_dependencies HOT 2
- Add option to skip default .zshrc file creation HOT 5
- What should I do to make zsh-autosuggestions work? HOT 3
- Install custom themes and plugins
- chmod: invalid mode HOT 1
- Add support for Fedora 25
- Add support for OpenSUSE 42.2
- `users` variable name too generic HOT 1
- Temp file issues HOT 2
- Allow overriding .zshrc templates HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-role-oh-my-zsh.