Allow using temporary directories on filesystems mounted noexec

[bgK]

Neither Ansible nor Mitogen need the temporary directory to be executable. Allow using noexec temporary directories so that mitogen-ansible can be used in environments where unpriviledged users are not allowed to have directories both writable and executable.

Binary Ansible modules require the temporary directory to be executable. It's up to the user to make sure Ansible and their environement are configured correctly for this use case.

In the situation where some candidate temporary directories are executable and some are not, the first executable one is preferred, for backwards compatibility.

[moreati]

Notes to self

ansible_mitogen.target.is_good_temp_dir() is only called by ansible_mitogen.target.find_good_temp_dir(), only called by ansible_mitogen.target.init_child(), called remotely from Ansible controller -> Ansible target in ansible_mitogen.services.ContextService._connect()`.

f24f02b is origin of the code that rejects non-executable directories

mitogen/ansible_mitogen/target.py

Lines 280 to 282 in aa3199b

	# access(.., X_OK) is sufficient to detect noexec.
	if not os.access(tmp.name, os.X_OK):
	raise OSError('filesystem appears to be mounted noexec')

It references ticket #321 which is no longer visible (moved/marked private before move to mitogen-hq org).

Mitogen has no pre-existing test coverage of noexec. Ansible has a noexec test target https://github.com/ansible/ansible/tree/devel/test/integration/targets/noexec, introduced in ansible/ansible#72636 and backported to Ansible 2.9.

To clarify, this PR deals with async_wrapper, but this specific task is effectively targeting this line, to ensure we build the module execution command in a way that still works with noexec:
-- ansible/ansible#72636 (comment)

Thoughts

I can't conclusively say why David added noexec checks. I'm slightly tempted to build on this PR and remove them entirely.

[moreati]

@bgK

Neither Ansible nor Mitogen need the temporary directory to be executable

For completeness, do you have a citation or other evidence/references for this?

Binary Ansible modules require the temporary directory to be executable

Ditto

the first executable one is preferred, for backwards compatibility.

I'm tempted to be more ruthless. What are your thoughts about removing the check entirely?

[bgK]

@bgK

Neither Ansible nor Mitogen need the temporary directory to be executable

For completeness, do you have a citation or other evidence/references for this?

None, just my own testing. Both Ansible and Ansible+Mitogen work fine on systems where everything writable for unprivileged users is mounted noexec.

Binary Ansible modules require the temporary directory to be executable

Ditto

I have not actually tested binary modules as I don't use them. However noexec's main purpose is to prevent unprivileged users from installing and then running their own binaries on the system. It's certainly possible to bypass noexec from Python by loading an executable file manually in memory. However, after looking at Ansible's source code it seems to me all modules files are copied/extracted on the target host as files and executed directly.

the first executable one is preferred, for backwards compatibility.

I'm tempted to be more ruthless. What are your thoughts about removing the check entirely?

That was my intention at first. I went the backwards compatibility route because as a one-off contributor I can't take the responsibility of introducing a breaking change. IMO, it's fine to remove the check. Users should not rely on Ansible-Mitogen to fix their temporary directory for them. Their setup should work when Mitogen is disabled.

Let me know if you want me to change the PR to remove the check entirely.

[moreati]

Let me know if you want me to change the PR to remove the check entirely.

Yes please, and also

• Include a changelog.rst entry

[bgK]

Let me know if you want me to change the PR to remove the check entirely.

Yes please, and also

* [ ]  Include a changelog.rst entry

Ok, done.

[moreati]

Thank you. I expect to do a release later this week.