[Bug] [zos_script] When user that is not the owner of the script tries to run it module fails with error "ICH408I INSUFFICIENT AUTHORITY TO CHMOD" #1542
When using a user that has execute permissions but is not the owner of the script tries to run the script it fails with error ICH408I INSUFFICIENT AUTHORITY TO CHMOD. Error is in line 358.
I think the module should check if current user has access, if it has then execute the script if not and the user is the owner change the execution permissions for the owner otherwise should fail.
Conversation from the user
when run this
- name: Run a Rexx script in USS on zOS
ibm.ibm_zos_core.zos_script:
cmd: /tmp/hw.sh
remote_src: true
executable: /bin/sh
register: sResult
this is ssh'ing to zOS LPAR with userid zcxprv1
if I set the owner of the /tmp/hw.sh to be zcxprv1 like this
-rwxrwxr-x 1 ZCXPRV1 SYS1 34 Jun 11 17:32 hw.sh
then above runs ok
If I have this, with the owner being some other userid, but with universal execute access
-rwxrwxr-x 1 EDMCAR SYS1 34 Jun 11 17:32 hw.sh
then above fails with:
BPXF024I (OMVSKERN) Jun 11 17:49:51 IBMZOS sshd[50464015]: Received
449
disconnect from 9.76.61.165 port 42310:11: disconnected by user
BPXF024I (OMVSKERN) Jun 11 17:49:51 IBMZOS sshd[50464015]: 450
Disconnected from user zcxprv1 9.76.61.165 port 42310
BPXF024I (OMVSKERN) Jun 11 17:49:52 IBMZOS sshd[67241231]: Port of 451
Entry information retained for uid:0 pid:67241231.
BPXF024I (OMVSKERN) Jun 11 17:49:52 IBMZOS sshd[67241231]: Accepted
452
publickey for zcxprv1 from 9.76.61.165 port 47964 ssh2: RSA
SHA256:daXGLorTUbv1234a3qbDLnIpo/4qWG94HR+L8lh7/+8
BPXF024I (OMVSKERN) Jun 11 17:49:52 IBMZOS ansible-ibm.ibm_zos_core.zo
453
s_script: Invoked with cmd=/tmp/hw.sh remote_src=True executable=/bin/
sh use_template=False chdir=None creates=None encoding=None
removes=None template_parameters=None
ICH408I USER(ZCXPRV1 ) GROUP(ZCXPRVG ) NAME(ZCX PROVISION USER 1) 454
/tmp/hw.sh CL(FSSEC ) FID(000000000000000000002D4500000000)
INSUFFICIENT AUTHORITY TO CHMOD
EFFECTIVE UID(0000000296) EFFECTIVE GID(0000043001)
If login into USS with that zcxprv1 id I can run the shell all ok as shown by:
$LOGNAME:$PWD: >cd /tmp/
$LOGNAME:$PWD: >id
uid=296(ZCXPRV1) gid=43001(ZCXPRVG) groups=9004(IZUUSER)
$LOGNAME:$PWD: >ls -lrt | grep hw.sh
-rwxrwxr-x 1 EDMCAR SYS1 34 Jun 11 17:32 hw.sh
$LOGNAME:$PWD: >/tmp/hw.sh
IBM z/OS Ansible core Version
v1.8.0
IBM Z Open Automation Utilities
v1.2.4
IBM Enterprise Python
v3.11.x (default)
ansible-version
v2.14.x
z/OS version
v2.5 (default)
Ansible module
zos_script
Playbook verbosity output.
ansible-playbook [core 2.14.1]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/ansible/library']
ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible-playbook
python version = 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
Using /etc/ansible/ansible.cfg as config file
[DEPRECATION WARNING]: [defaults]callback_whitelist option, normalizing names to new standard, use
callbacks_enabled instead. This feature will be removed from ansible-core in version 2.15. Deprecation warnings can
be disabled by setting deprecation_warnings=False in ansible.cfg.
host_list declined parsing /etc/ansible/environments/dev2/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/environments/dev2/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/environments/dev2/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/environments/dev2/hosts inventory source with yaml plugin
[WARNING]: While constructing a mapping from /etc/ansible/zos-uss-script.playbook, line 18, column 3, found a
duplicate dict key (collections). Using last defined value only.
redirecting (type: callback) ansible.builtin.profile_tasks to ansible.posix.profile_tasks
Skipping callback 'diy', as we already have a stdout callback.
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: zos-uss-script.playbook **
1 plays in zos-uss-script.playbook
Read vars_file '{{ zosOcpParms }}'
Read vars_file '{{ zosOcpParms }}'
Read vars_file '{{ zosOcpParms }}'
Read vars_file '{{ zosOcpParms }}'
PLAY [zceeZosLpar] *****
Read vars_file '{{ zosOcpParms }}'
Read vars_file '{{ zosOcpParms }}'
Read vars_file '{{ zosOcpParms }}'
Read vars_file '{{ zosOcpParms }}'
TASK [Run a Rexx script in USS on zOS] *
task path: /etc/ansible/zos-uss-script.playbook:31
Tuesday 11 June 2024 22:09:27 +0000 (0:00:00.093) 0:00:00.093 **
Read vars_file '{{ zosOcpParms }}'
Using module file /root/.ansible/collections/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py
Pipelining is enabled.
<129.40.23.1> ESTABLISH SSH CONNECTION FOR USER: zcxprv1
<129.40.23.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="zcxprv1"' -o ConnectTimeout=10 -o 'ControlPath="/root/.ansible/cp/40f86b3174"' 129.40.23.1 '/bin/sh -c '"'"'_BPXK_AUTOCVT=ON ZOAU_HOME=/usr/lpp/IBM/zoautil PYTHONPATH=/usr/lpp/IBM/zoautil/lib LIBPATH=/usr/lpp/IBM/zoautil/lib:/usr/lpp/IBM/cyp/v3r11/pyz/lib:/lib:/usr/lib:. PATH=/usr/lpp/IBM/zoautil/bin:/usr/lpp/IBM/cyp/v3r11/pyz/bin:/usr/lpp/java/J8.0_64/bin:/var/bin:/usr/sbin:/bin JAVA_HOME=/usr/lpp/java/J8.0_64 _CEE_RUNOPTS='"'"'"'"'"'"'"'"'FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)'"'"'"'"'"'"'"'"' _TAG_REDIR_ERR=txt _TAG_REDIR_IN=txt _TAG_REDIR_OUT=txt LANG=C PYTHONSTDINENCODING=cp1047 /usr/lpp/IBM/cyp/v3r11/pyz/bin/python3 && sleep 0'"'"''
<129.40.23.1> (1, b'', b'Traceback (most recent call last):\n File "", line 107, in \n File "", line 99, in _ansiballz_main\n File "", line 47, in invoke_module\n File "", line 226, in run_module\n File "", line 98, in _run_module_code\n File "", line 88, in _run_code\n File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 388, in \n File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 384, in main\n File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 346, in run_module\nPermissionError: [Errno 139] EDC5139I Operation not permitted.: \'/tmp/hw.sh\'\n')
<129.40.23.1> Failed to connect to the host via ssh: Traceback (most recent call last):
File "", line 107, in
File "", line 99, in _ansiballz_main
File "", line 47, in invoke_module
File "", line 226, in run_module
File "", line 98, in _run_module_code
File "", line 88, in _run_code
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 388, in
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 384, in main
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 346, in run_module
PermissionError: [Errno 139] EDC5139I Operation not permitted.: '/tmp/hw.sh'
Read vars_file '{{ zosOcpParms }}'
The full traceback is:
Traceback (most recent call last):
File "", line 107, in
File "", line 99, in _ansiballz_main
File "", line 47, in invoke_module
File "", line 226, in run_module
File "", line 98, in _run_module_code
File "", line 88, in _run_code
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 388, in
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 384, in main
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 346, in run_module
PermissionError: [Errno 139] EDC5139I Operation not permitted.: '/tmp/hw.sh'
fatal: [zceeZosLpar]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"\", line 107, in \n File \"\", line 99, in _ansiballz_main\n File \"\", line 47, in invoke_module\n File \"\", line 226, in run_module\n File \"\", line 98, in _run_module_code\n File \"\", line 88, in _run_code\n File \"/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py\", line 388, in \n File \"/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py\", line 384, in main\n File \"/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py\", line 346, in run_module\nPermissionError: [Errno 139] EDC5139I Operation not permitted.: '/tmp/hw.sh'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
Read vars_file '{{ zosOcpParms }}'
Is there an existing issue for this?
Bug description
When using a user that has execute permissions but is not the owner of the script tries to run the script it fails with error ICH408I INSUFFICIENT AUTHORITY TO CHMOD. Error is in line 358.
I think the module should check if current user has access, if it has then execute the script if not and the user is the owner change the execution permissions for the owner otherwise should fail.
Conversation from the user
IBM z/OS Ansible core Version
v1.8.0
IBM Z Open Automation Utilities
v1.2.4
IBM Enterprise Python
v3.11.x (default)
ansible-version
v2.14.x
z/OS version
v2.5 (default)
Ansible module
zos_script
Playbook verbosity output.
ansible-playbook [core 2.14.1] config file = /etc/ansible/ansible.cfg configured module search path = ['/ansible/library'] ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible-playbook python version = 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0] (/usr/bin/python3) jinja version = 3.1.2 libyaml = True Using /etc/ansible/ansible.cfg as config file [DEPRECATION WARNING]: [defaults]callback_whitelist option, normalizing names to new standard, use callbacks_enabled instead. This feature will be removed from ansible-core in version 2.15. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. host_list declined parsing /etc/ansible/environments/dev2/hosts as it did not pass its verify_file() method script declined parsing /etc/ansible/environments/dev2/hosts as it did not pass its verify_file() method auto declined parsing /etc/ansible/environments/dev2/hosts as it did not pass its verify_file() method Parsed /etc/ansible/environments/dev2/hosts inventory source with yaml plugin [WARNING]: While constructing a mapping from /etc/ansible/zos-uss-script.playbook, line 18, column 3, found a duplicate dict key (collections). Using last defined value only. redirecting (type: callback) ansible.builtin.profile_tasks to ansible.posix.profile_tasks Skipping callback 'diy', as we already have a stdout callback. Skipping callback 'default', as we already have a stdout callback. Skipping callback 'minimal', as we already have a stdout callback. Skipping callback 'oneline', as we already have a stdout callback. PLAYBOOK: zos-uss-script.playbook ** 1 plays in zos-uss-script.playbook Read vars_file '{{ zosOcpParms }}' Read vars_file '{{ zosOcpParms }}' Read vars_file '{{ zosOcpParms }}' Read vars_file '{{ zosOcpParms }}' PLAY [zceeZosLpar] ***** Read vars_file '{{ zosOcpParms }}' Read vars_file '{{ zosOcpParms }}' Read vars_file '{{ zosOcpParms }}' Read vars_file '{{ zosOcpParms }}' TASK [Run a Rexx script in USS on zOS] * task path: /etc/ansible/zos-uss-script.playbook:31 Tuesday 11 June 2024 22:09:27 +0000 (0:00:00.093) 0:00:00.093 ** Read vars_file '{{ zosOcpParms }}' Using module file /root/.ansible/collections/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py Pipelining is enabled. <129.40.23.1> ESTABLISH SSH CONNECTION FOR USER: zcxprv1 <129.40.23.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="zcxprv1"' -o ConnectTimeout=10 -o 'ControlPath="/root/.ansible/cp/40f86b3174"' 129.40.23.1 '/bin/sh -c '"'"'_BPXK_AUTOCVT=ON ZOAU_HOME=/usr/lpp/IBM/zoautil PYTHONPATH=/usr/lpp/IBM/zoautil/lib LIBPATH=/usr/lpp/IBM/zoautil/lib:/usr/lpp/IBM/cyp/v3r11/pyz/lib:/lib:/usr/lib:. PATH=/usr/lpp/IBM/zoautil/bin:/usr/lpp/IBM/cyp/v3r11/pyz/bin:/usr/lpp/java/J8.0_64/bin:/var/bin:/usr/sbin:/bin JAVA_HOME=/usr/lpp/java/J8.0_64 _CEE_RUNOPTS='"'"'"'"'"'"'"'"'FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)'"'"'"'"'"'"'"'"' _TAG_REDIR_ERR=txt _TAG_REDIR_IN=txt _TAG_REDIR_OUT=txt LANG=C PYTHONSTDINENCODING=cp1047 /usr/lpp/IBM/cyp/v3r11/pyz/bin/python3 && sleep 0'"'"'' <129.40.23.1> (1, b'', b'Traceback (most recent call last):\n File "", line 107, in \n File "", line 99, in _ansiballz_main\n File "", line 47, in invoke_module\n File "", line 226, in run_module\n File "", line 98, in _run_module_code\n File "", line 88, in _run_code\n File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 388, in \n File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 384, in main\n File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 346, in run_module\nPermissionError: [Errno 139] EDC5139I Operation not permitted.: \'/tmp/hw.sh\'\n')
<129.40.23.1> Failed to connect to the host via ssh: Traceback (most recent call last):
File "", line 107, in
File "", line 99, in _ansiballz_main
File "", line 47, in invoke_module
File "", line 226, in run_module
File "", line 98, in _run_module_code
File "", line 88, in _run_code
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 388, in
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 384, in main
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 346, in run_module
PermissionError: [Errno 139] EDC5139I Operation not permitted.: '/tmp/hw.sh'
Read vars_file '{{ zosOcpParms }}'
The full traceback is:
Traceback (most recent call last):
File "", line 107, in
File "", line 99, in _ansiballz_main
File "", line 47, in invoke_module
File "", line 226, in run_module
File "", line 98, in _run_module_code
File "", line 88, in _run_code
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 388, in
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 384, in main
File "/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py", line 346, in run_module
PermissionError: [Errno 139] EDC5139I Operation not permitted.: '/tmp/hw.sh'
fatal: [zceeZosLpar]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"\", line 107, in \n File \"\", line 99, in _ansiballz_main\n File \"\", line 47, in invoke_module\n File \"\", line 226, in run_module\n File \"\", line 98, in _run_module_code\n File \"\", line 88, in _run_code\n File \"/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py\", line 388, in \n File \"/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py\", line 384, in main\n File \"/tmp/ansible_ibm.ibm_zos_core.zos_script_payload_g1fh0pzl/ansible_ibm.ibm_zos_core.zos_script_payload.zip/ansible_collections/ibm/ibm_zos_core/plugins/modules/zos_script.py\", line 346, in run_module\nPermissionError: [Errno 139] EDC5139I Operation not permitted.: '/tmp/hw.sh'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
Read vars_file '{{ zosOcpParms }}'
Ansible configuration.
No response
Contents of the inventory
No response
Contents of
group_vars
orhost_vars
No response