Permissions error on Ansible playbook updating WordPress with wp-cli tool

Question

My hosts file

ansible_user=ansible

Playbook

- name: WordPress setup
  hosts: servers
  gather_facts: false
  remote_user: ansible
  become: true
  roles:  
  - wp

Role's task

- name: Update admin user's password
  command: wp user update admin
           --user_pass="{{ wp_admin_pwd }}"
  args:
      chdir: "/var/www/{{ domain_name }}"
  become: yes
  become_user: www-data

Running this playbook, an error shows up:

Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user
(rc: 1, err: chmod: invalid mode: ‘A+user:www-data:rx:allow’
Try 'chmod --help'

The user I'm using to connect to remote server, named ansible, is a user with sudo privileges.
The WordPress installation runs under NGINX www-data user.

Am I missing something?

Answer 1

As pointed in the chapter Risks of becoming an unprivileged user, when becoming an unprivileged user, Ansible has to rely on some tricks to make the file readable by both the remote_user and the become_user.

One of the way Ansible can solve this on POSIX systems is by relying on the setfacl command.

First, if setfacl is installed and available in the remote PATH, and the temporary directory on the remote host is mounted with POSIX.1e filesystem ACL support, Ansible will use POSIX ACLs to share the module file with the second unprivileged user.

^{Source: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#risks-of-becoming-an-unprivileged-user}

So, one way to resolve this is to install the acl package on the remote node, for example on Debian distribution (e.g.: Debian, Ubuntu, ...):

apt install acl

Or via the playbook itself in a pre_tasks, e.g.:

- hosts: servers
  gather_facts: false
  remote_user: ansible

  pre_tasks:
    - apt:
        name: acl
      become: true
      become_user: root
   
  roles:  
    - wp