Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgp_secretstore should warn if running as root #199

Closed
jdreichmann opened this issue Dec 28, 2023 · 1 comment · Fixed by #200
Closed

pgp_secretstore should warn if running as root #199

jdreichmann opened this issue Dec 28, 2023 · 1 comment · Fixed by #200
Assignees
@jdreichmann

Comments

@jdreichmann
Copy link
Contributor

It is easy to mess up and get strange issues when become: true is used in a playbook, as root usually has neither keyring nor access to any gpg-agents or similar. For this reason, the module should warn when it's run as root, as it is trivial to detect in python.
@jdreichmann jdreichmann self-assigned this Jan 2, 2024
@jdreichmann jdreichmann mentioned this issue Jan 2, 2024
Merged
@jdreichmann
Copy link
Contributor Author

jdreichmann commented Jan 2, 2024
edited
Loading 

TASK [famedly.base.gpg_secretstore] ********************************************************************************
The full traceback is:
Traceback (most recent call last):
  File "/home/transcaffeine/.ansible/tmp/ansible-tmp-1704192034.5374594-325293-127573528053995/AnsiballZ_gpg_secretstore.py", line 107, in <module>
    _ansiballz_main()
  File "/home/transcaffeine/.ansible/tmp/ansible-tmp-1704192034.5374594-325293-127573528053995/AnsiballZ_gpg_secretstore.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/transcaffeine/.ansible/tmp/ansible-tmp-1704192034.5374594-325293-127573528053995/AnsiballZ_gpg_secretstore.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.famedly.base.plugins.modules.gpg_secretstore', init_globals=dict(_module_fqn='ansible_collections.famedly.base.plugins.modules.gpg_secretstore', _modlib_path=modlib_path),
  File "<frozen runpy>", line 226, in run_module
  File "<frozen runpy>", line 98, in _run_module_code
  File "<frozen runpy>", line 88, in _run_code
  File "/tmp/ansible_famedly.base.gpg_secretstore_payload_swv7gc2m/ansible_famedly.base.gpg_secretstore_payload.zip/ansible_collections/famedly/base/plugins/modules/gpg_secretstore.py", line 517, in <module>
  File "/tmp/ansible_famedly.base.gpg_secretstore_payload_swv7gc2m/ansible_famedly.base.gpg_secretstore_payload.zip/ansible_collections/famedly/base/plugins/modules/gpg_secretstore.py", line 404, in main
  File "/tmp/ansible_famedly.base.gpg_secretstore_payload_swv7gc2m/ansible_famedly.base.gpg_secretstore_payload.zip/ansible_collections/famedly/base/plugins/module_utils/gpg_utils.py", line 175, in get_recipients_from_encrypted_file
ansible_collections.famedly.base.plugins.module_utils.gpg_utils.GPGException: Subkey 112CED6FF8C78971 has no known associated keys
fatal: [famedly.de -> localhost]: FAILED! => changed=false
  module_stderr: |-
    Traceback (most recent call last):
      File "/home/transcaffeine/.ansible/tmp/ansible-tmp-1704192034.5374594-325293-127573528053995/AnsiballZ_gpg_secretstore.py", line 107, in <module>
        _ansiballz_main()
      File "/home/transcaffeine/.ansible/tmp/ansible-tmp-1704192034.5374594-325293-127573528053995/AnsiballZ_gpg_secretstore.py", line 99, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/transcaffeine/.ansible/tmp/ansible-tmp-1704192034.5374594-325293-127573528053995/AnsiballZ_gpg_secretstore.py", line 47, in invoke_module
        runpy.run_module(mod_name='ansible_collections.famedly.base.plugins.modules.gpg_secretstore', init_globals=dict(_module_fqn='ansible_collections.famedly.base.plugins.modules.gpg_secretstore', _modlib_path=modlib_path),
      File "<frozen runpy>", line 226, in run_module
      File "<frozen runpy>", line 98, in _run_module_code
      File "<frozen runpy>", line 88, in _run_code
      File "/tmp/ansible_famedly.base.gpg_secretstore_payload_swv7gc2m/ansible_famedly.base.gpg_secretstore_payload.zip/ansible_collections/famedly/base/plugins/modules/gpg_secretstore.py", line 517, in <module>
      File "/tmp/ansible_famedly.base.gpg_secretstore_payload_swv7gc2m/ansible_famedly.base.gpg_secretstore_payload.zip/ansible_collections/famedly/base/plugins/modules/gpg_secretstore.py", line 404, in main
      File "/tmp/ansible_famedly.base.gpg_secretstore_payload_swv7gc2m/ansible_famedly.base.gpg_secretstore_payload.zip/ansible_collections/famedly/base/plugins/module_utils/gpg_utils.py", line 175, in get_recipients_from_encrypted_file
    ansible_collections.famedly.base.plugins.module_utils.gpg_utils.GPGException: Subkey 112CED6FF8C78971 has no known associated keys
  module_stdout: |-
    warn: running as uid 0 (root), ensure the correct gnupg keyring is loaded
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

Output - in module_stdout is the warning about running as root, in module_stderr is the GPGException about the subkey not being known.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jdreichmann jdreichmann

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Transcaffeine/secret storage logging famedly/ansible-collection-base
1 participant
@jdreichmann