Docs: Add MD for no-same-owner rule (#2552)

* Docs: Add MD for no-same-owner rule * chore: auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
ansible · Oct 5, 2022 · e8c1ecc · e8c1ecc
1 parent 655ca30
commit e8c1ecc
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 6 deletions.
diff --git a/src/ansiblelint/rules/no_same_owner.md b/src/ansiblelint/rules/no_same_owner.md
@@ -0,0 +1,55 @@
+# no-same-owner
+
+This rule checks that the owner and group do not transfer across hosts.
+
+In many cases the owner and group on remote hosts do not match the owner and group assigned to source files.
+Preserving the owner and group during transfer can result in errors with permissions or leaking sensitive information.
+
+When you synchronize files, you should avoid transferring the owner and group by setting `owner: false` and `group: false` arguments.
+When you unpack archives with the `ansible.builtin.unarchive` module you should set the `--no-same-owner` option.
+
+This is an opt-in rule.
+You must enable it in your Ansible-lint configuration as follows:
+
+```yaml
+enable_list:
+  - no-same-owner
+```
+
+## Problematic Code
+
+```yaml
+---
+- name: Example playbook
+  hosts: all
+  tasks:
+    - name: Synchronize conf file
+      ansible.posix.synchronize:
+        src: /path/conf.yaml
+        dest: /path/conf.yaml # <- Transfers the owner and group for the file.
+    - name: Extract tarball to path
+      ansible.builtin.unarchive:
+        src: "{{ file }}.tar.gz"
+        dest: /my/path/ # <- Transfers the owner and group for the file.
+```
+
+## Correct Code
+
+```yaml
+---
+- name: Example playbook
+  hosts: all
+  tasks:
+    - name: Synchronize conf file
+      ansible.posix.synchronize:
+        src: /path/conf.yaml
+        dest: /path/conf.yaml
+        owner: false
+        group: false # <- Does not transfer the owner and group for the file.
+    - name: Extract tarball to path
+      ansible.builtin.unarchive:
+        src: "{{ file }}.tar.gz"
+        dest: /my/path/
+        extra_opts:
+          - --no-same-owner # <- Does not transfer the owner and group for the file.
+```
diff --git a/src/ansiblelint/rules/no_same_owner.py b/src/ansiblelint/rules/no_same_owner.py
@@ -14,18 +14,13 @@
 
 
 class NoSameOwnerRule(AnsibleLintRule):
-    """Owner should not be kept between different hosts."""
+    """Do not preserve the owner and group when transferring files across hosts."""
 
     id = "no-same-owner"
     description = """
 Optional rule that highlights dangers of assuming that user/group on the remote
 machines may not exist on ansible controller or vice versa. Owner and group
 should not be preserved when transferring files between them.
-
-This rule is not enabled by default and was inspired by Zuul execution policy.
-See:
-https://zuul-ci.org/docs/zuul-jobs/policy.html\
-#preservation-of-owner-between-executor-and-remote
 """
     severity = "LOW"
     tags = ["opt-in"]