search

Oefenweb / ansible-postfix

Ansible role to set up postfix in Debian-like systems
MIT License
174 stars 83 forks source link

Failed to copy to /etc/mailname #91

Closed clbarnes closed 4 years ago

clbarnes commented 4 years ago

Config, in a task:

- name: set up postfix for notifications
  include_role:
    name: Oefenweb.postfix
  vars:
    postfix_aliases:
      - user: root
        alias: "{{ admin_email }}"
    postfix_relayhost: my.fqdn
    postfix_inet_interfaces: localhost

Traceback:

The full traceback is:
  File "/tmp/ansible_copy_payload_n0uqaa_r/ansible_copy_payload.zip/ansible/modules/files/copy.py", line 675, in main
  File "/tmp/ansible_copy_payload_n0uqaa_r/ansible_copy_payload.zip/ansible/module_utils/basic.py", line 2231, in atomic_move
    os.chown(b_src, dest_stat.st_uid, dest_stat.st_gid)
fatal: [ark]: FAILED! => {
    "changed": false,
    "checksum": "905f0ac0c93a01c9195fd9ccc556472bb6e8cb30",
    "diff": [],
    "invocation": {
        "module_args": {
            "_original_basename": "mailname.j2",
            "attributes": null,
            "backup": false,
            "checksum": "905f0ac0c93a01c9195fd9ccc556472bb6e8cb30",
            "content": null,
            "delimiter": null,
            "dest": "/etc/mailname",
            "directory_mode": null,
            "follow": false,
            "force": true,
            "group": "root",
            "local_follow": null,
            "mode": 420,
            "owner": "root",
            "regexp": null,
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": "/lmb/home/cbarnes/.ansible/tmp/ansible-tmp-1594200472.29-9494-34511939755517/source",
            "unsafe_writes": null,
            "validate": null
        }
    },
    "msg": "failed to copy: /lmb/home/cbarnes/.ansible/tmp/ansible-tmp-1594200472.29-9494-34511939755517/source to /etc/mailname",
    "traceback": "Traceback (most recent call last):\n  File \"/tmp/ansible_copy_payload_n0uqaa_r/ansible_copy_payload.zip/ansible/modules/files/copy.py\", line 675, in main\n  File \"/tmp/ansible_copy_payload_n0uqaa_r/ansible_copy_payload.zip/ansible/module_utils/basic.py\", line 2231, in atomic_move\n    os.chown(b_src, dest_stat.st_uid, dest_stat.st_gid)\nPermissionError: [Errno 13] Permission denied: b'/lmb/home/cbarnes/.ansible/tmp/ansible-tmp-1594200472.29-9494-34511939755517/source'\n"
}

Seems to be a privilege escalation issue - any thoughts?

michalsarna commented 4 years ago

Try adding "become_user: root". All other configuration should fail as well since whole /etc/postfix is owned by root (checked on Ubuntu 16.04/18.04/20.04)

/etc # ls -la | grep postfix
drwxr-xr-x   5 root   root    4096 Dec  3  2019 postfix
/etc # tree -ug postfix/
postfix/
├── [root     root    ]  dynamicmaps.cf
├── [root     root    ]  dynamicmaps.cf.d
├── [root     root    ]  main.cf
├── [root     root    ]  main.cf.proto
├── [root     root    ]  makedefs.out
├── [root     root    ]  master.cf
├── [root     root    ]  master.cf.proto
├── [root     root    ]  postfix-files
├── [root     root    ]  postfix-files.d
├── [root     root    ]  postfix-script
├── [root     root    ]  post-install
└── [root     root    ]  sasl

3 directories, 9 files
clbarnes commented 4 years ago

The task is part of a role, and the role called from a playbook which has become: yes (which I understand defaults to becoming root): is that enough, or does it need to be specified in each task as well?

michalsarna commented 4 years ago

I've got it like this: 

---
- hosts: postfix
  become: yes
  become_user: root
  become_method: sudo

  roles:
    - postfix

and it's working with out any problems.