Skip to content

no-same-owner

This rule checks that the owner and group do not transfer across hosts.

In many cases the owner and group on remote hosts do not match the owner and group assigned to source files. Preserving the owner and group during transfer can result in errors with permissions or leaking sensitive information.

When you synchronize files, you should avoid transferring the owner and group by setting owner: false and group: false arguments. When you unpack archives with the ansible.builtin.unarchive module you should set the --no-same-owner option.

This is an opt-in rule. You must enable it in your Ansible-lint configuration as follows:

enable_list:
  - no-same-owner

Problematic Code

---
- name: Example playbook
  hosts: all
  tasks:
    - name: Synchronize conf file
      ansible.posix.synchronize:
        src: /path/conf.yaml
        dest: /path/conf.yaml # <- Transfers the owner and group for the file.
    - name: Extract tarball to path
      ansible.builtin.unarchive:
        src: "{{ file }}.tar.gz"
        dest: /my/path/ # <- Transfers the owner and group for the file.

Correct Code

---
- name: Example playbook
  hosts: all
  tasks:
    - name: Synchronize conf file
      ansible.posix.synchronize:
        src: /path/conf.yaml
        dest: /path/conf.yaml
        owner: false
        group: false # <- Does not transfer the owner and group for the file.
    - name: Extract tarball to path
      ansible.builtin.unarchive:
        src: "{{ file }}.tar.gz"
        dest: /my/path/
        extra_opts:
          - --no-same-owner # <- Does not transfer the owner and group for the file.