Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

umask option for the ansible.posix.mount module #163

Open
roggy85 opened this issue Apr 1, 2021 · 2 comments · May be fixed by #209
Open

umask option for the ansible.posix.mount module #163

roggy85 opened this issue Apr 1, 2021 · 2 comments · May be fixed by #209
Labels
feature This issue/PR relates to a feature request. waiting_on_contributor Needs help. Feel free to engage to get things unblocked

Comments

@roggy85
Copy link

roggy85 commented Apr 1, 2021

SUMMARY

When using the ansible.posix.mount module to mount a filesystem under a directory structure which is not existent, the module creates the directories with the umask which is defined for the root user.
If the default umask for root is set that "other" has no permissions on newly created directories, the mount module mounts the filesystem - but no one can access it other then root because traversing the directories is not possible.

for example you want a filesystem mounted under "/myapps/app1" and both directories are non-existent:

[root@server ~]# ls -ld /myapps{,/app1}
ls: cannot access '/myapps': No such file or directory
ls: cannot access '/myapps/app1': No such file or directory
[root@server ~]#

umask is set to 0027

[root@server ~]# umask; umask -S
0027
u=rwx,g=rx,o=
[root@server ~]#

Using ansible to mount the filesystem

[root@server ~]# ansible localhost -m mount -a "src=tmpfs path=/myapps/app1 fstype=tmpfs state=mounted"
localhost | CHANGED => {
    "changed": true,
    "dump": "0",
    "fstab": "/etc/fstab",
    "fstype": "tmpfs",
    "name": "/myapps/app1",
    "opts": "defaults",
    "passno": "0",
    "src": "tmpfs"
}
[root@server ~]#

Now the module created the directory "/myapps/" and "/myapps/app1/" and the Filesystem is mounted under /myapps/app1

[root@server ~]# ls -ld /myapps{,/app1}
drwxr-x---. 3 root root 18 Apr  1 09:24 /myapps
drwxrwxrwt. 2 root root 40 Apr  1 09:24 /myapps/app1
[root@server ~]#

But the Directory /myapps/ got the permissions 750 and I can't access the mounted filesystem as a user != root - no matter what the mounted filesystem has for permissions

[user@server ~]$ ls -l /myapps{,/app1}
ls: cannot access '/myapps/app1': Permission denied
ls: cannot open directory '/myapps': Permission denied
[user@server ~]$

An option to avoid this situation would be to specify the umask on calling the module like with the "git" module.
if you could set umask=0022 - all directories which gets created automatically would be created that you can traverse these directories.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

ansible.posix.mount

ADDITIONAL INFORMATION
 ansible localhost -m mount -a "umask=0022 src=tmpfs path=/myapps/app1 fstype=tmpfs state=mounted"

That would cause ansible to set the umask for that specific task and the parent directories would get the propper permission - if this is wanted.
@quidame
Copy link
Contributor

quidame commented Apr 4, 2021

I also ran into this issue, but got another proposal, that is based on the idea of smart behavior rather than a dedicated option.

For me, parent directories created by the module should inherit their permissions and ownership from the already existing parent dir, that seems the logical way to grant access to the mountpoint to all users accessing the parent dir, and only them. Rather than seeing directories to create as the parent directories of the mountpoint, see them as subdirectories of an existing directory, that has permissions and ownership we have to propagate until the last directory, the mountpoint. (Note that the mountpoint itself is a special case, because its properties are hidden by those of the mounted filesystem; this is out of the scope of this issue)

For example, for a mount over /srv/foo/bar/data, with /srv being set to 0755 root:root, and other directories not existing yet, the module would end up to /srv/foo, /srv/foo/bar and /srv/foo/bar/data all set to 0755 root:root. Alternatively, with /srv/foo being set to 0750 neo:users, the mount module would end up to /srv/foo/bar set to the same permissions/ownership than its parent.

@roggy85
Copy link
Author

roggy85 commented Apr 12, 2021

Hi,

that would be also an option that when a directory is created it inherits the parent permissions.

And maybe the umask option optional - if you really want it different. But for that specific case - with your solution it would not be needed.

@quidame quidame mentioned this issue May 16, 2021
Open
@Akasurde Akasurde added feature This issue/PR relates to a feature request. waiting_on_contributor Needs help. Feel free to engage to get things unblocked labels Jun 4, 2021
@satken2 satken2 linked a pull request Jun 12, 2021 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature This issue/PR relates to a feature request. waiting_on_contributor Needs help. Feel free to engage to get things unblocked
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add umask option for mount module satken2/ansible.posix
3 participants
@Akasurde @roggy85 @quidame