Ensure proper access to the created temporary file

Fixes #60072
2025-04-17 10:10:20 +00:00 · 2021-05-12 07:03:27 +01:00 · 2021-05-12 07:03:27 +01:00 · 03669b0161
commit 03669b0161
parent 1c743afb48
3 changed files with 33 additions and 1 deletions
--- a/changelog/60072.fixed
+++ b/changelog/60072.fixed
@ -0,0 +1 @@
+Ensure proper access to the created temporary file when ``runas`` is passed to ``cmd.exec_code_all``
--- a/salt/modules/cmdmod.py
+++ b/salt/modules/cmdmod.py
@ -3195,8 +3195,24 @@ def exec_code_all(lang, code, cwd=None, args=None, **kwargs):
    elif isinstance(args, list):
        cmd += args

+    def _cleanup_tempfile(path):
+        try:
+            __salt__["file.remove"](path)
+        except (SaltInvocationError, CommandExecutionError) as exc:
+            log.error(
+                "cmd.exec_code_all: Unable to clean tempfile '%s': %s",
+                path,
+                exc,
+                exc_info_on_loglevel=logging.DEBUG,
+            )
+
+    runas = kwargs.get("runas")
+    if runas is not None:
+        if not salt.utils.platform.is_windows():
+            os.chown(codefile, __salt__["file.user_to_uid"](runas), -1)
+
    ret = run_all(cmd, cwd=cwd, python_shell=False, **kwargs)
-    os.remove(codefile)
+    _cleanup_tempfile(codefile)
    return ret


--- a/tests/pytests/integration/modules/test_cmdmod.py
+++ b/tests/pytests/integration/modules/test_cmdmod.py
@ -0,0 +1,15 @@
+import pytest
+
+
+@pytest.fixture(scope="module")
+def non_root_account():
+    with pytest.helpers.create_account() as account:
+        yield account
+
+
+@pytest.mark.skip_if_not_root
+def test_exec_code_all(salt_call_cli, non_root_account):
+    ret = salt_call_cli.run(
+        "cmd.exec_code_all", "bash", "echo good", runas=non_root_account.username
+    )
+    assert ret.exitcode == 0
				`@ -0,0 +1 @@`
				Ensure proper access to the created temporary file when ``runas`` is passed to ``cmd.exec_code_all``