Ansible.builtin.script triggers permission denied on Oracle Linux

You have some Oracle Linux servers targeted by your ansible playbooks.

You have your_playbook.yml that contains the following task:

- name: "This script is for a test"
  ansible.builtin.script: yourscript.sh
  become: yes
  become_user: oracle

(The become and become_user instructions are not required to reproduce the error)

If you got an error, just add the -vvv option to get ansible’s verbose output, for instance:

ansible-playbook -vvv -i yourinventory.ini playbooks/your_playbook.yml

Then you get something like this:

...
...
<yourserver.com> ESTABLISH SSH CONNECTION FOR USER: robocop
<yourserver.com> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/ansible/.ssh/youransible_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="yoursudouser"' -o ConnectTimeout=10 -o 'ControlPath="/home/ansible/.ansible/cp/f8428ad8ca"' -tt yourserver.com '/bin/sh -c '"'"'sudo -H -S -n  -u oracle /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-jmhzkvvipuhwvjtlrovqjniwolupjoor ;  /var/tmp/ansible-tmp-1727884131.6459033-175968-242039743593177/yourscript.sh'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<yourserver.com> (126, b'/bin/sh: /var/tmp/ansible-tmp-1727884131.6459033-175968-242039743593177/yourscript.sh: Permission denied\r\n', b'Shared connection to yourserver.novrh.com closed.\r\n')
...
...

In fact the permission denied error is caused by the fact that ansible is using /var/tmp on your Oracle Linux server. Or on Oracle Linux server, /var/tmp is a filesystem mounted as ‘noexec’ as you can see here:

[root@yourserver root]# cd /var/tmp
[root@yourserver tmp]# vim nicotest.sh
[root@yourserver tmp]# chmod 755 nicotest.sh
[root@yourserver tmp]# ./nicotest.sh
-bash: ./nicotest.sh: Permission denied
[root@yourserver tmp]# mount | grep /var/tmp
/dev/mapper/vg00-var_tmp on /var/tmp type ext4 (rw,nosuid,nodev,noexec,noatime,nodiratime,stripe=256)

How to avoid this error then?

The noexec flag prevent you from calling directly the script but if you use /bin/sh ./nicotest.sh you’ll be able to execute the script.

The ansible.builting.script allow you to give the “Name or path of an executable to invoke the script with”. This is done with the ‘executable’ parameter:

- name: "This script is for a test"
  ansible.builtin.script: yourscript.sh
  args:
    executable: /bin/sh
  become: yes
  become_user: oracle

Et voilà!

Note book to help you and me remember some tricks

nicodevlog

Leave a Reply Cancel reply

Recent Posts

Recent Comments

Archives

Categories