Use setfacl (acl package) instead of enabling allow_world_readable_tmpfiles

If the temporary directory on the remote host is mounted with POSIX acls enabled and the setfacl tool is in the remote PATH then Ansible will use POSIX acls to share the module file with the second unprivileged user instead of having to make the file readable by everyone.

This also avoids the warning:
 [WARNING]: Using world-readable permissions for temporary files Ansible needs to create when becoming an unprivileged user. This may be insecure. For information on securing this, see
https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user

Author: vitabaks

ansible.cfg

@@ -2,7 +2,7 @@
 inventory = ./inventory
 display_skipped_hosts = false
 remote_tmp = /tmp/${USER}/ansible
-allow_world_readable_tmpfiles = true
+allow_world_readable_tmpfiles = false # or "true" if the temporary directory on the remote host is mounted with POSIX acls disabled or the remote machines use ZFS.
 host_key_checking = false
 timeout=60
 

vars/Debian.yml

@@ -41,6 +41,7 @@ system_packages:
   - gzip
   - jq
   - iptables
+  - acl
 
 postgresql_packages:
   - postgresql-{{ postgresql_version }}

vars/RedHat.yml

@@ -40,6 +40,7 @@ system_packages:
   - gzip
   - jq
   - iptables
+  - acl
 
 postgresql_packages:
   - postgresql{{ postgresql_version_terse }}