Skip to content

user module incorrectly reports success on Alpine when using unsupported seuser parameter #85542

New issue
New issue
Open
Open
user module incorrectly reports success on Alpine when using unsupported seuser parameter#85542
Labels
affects_2.18bugThis issue/PR relates to a bug.moduleThis issue/PR relates to a module.needs_triageNeeds a first human triage before being processed.
@gdrosos

Description

@gdrosos
gdrosos
opened on Jul 24, 2025

Summary

Theansible.builtin.usermodule silently ignores the seuser parameter when run on Alpine Linux (BusyBox backend), but still reports changed: true, even though Alpine does not support the corresponding functionality (i.e., useradd -Z is unrecognized). This soundness issue can mislead users into thinking that SELinux-related options were applied, when in fact they are ignored.

Issue Type

Bug Report

Component Name

user

Ansible Version

$ ansible --version

ansible [core 2.18.7]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.11 (main, Jun  9 2025, 08:58:46) [GCC 13.2.1 20240309] (/usr/bin/python3)
  jinja version = 3.1.6
  libyaml = True

Configuration

# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all

OS / Environment

Alpine 3.20.6 & 3.21.3

Steps to Reproduce

On Alpine, run:

- hosts: localhost
  connection: local
  gather_facts: false
  tasks:
    - name: Try creating user with nonexistent SELinux user
      ansible.builtin.user:
        name: badseuser
        seuser: nonexistent_u
        state: present
      register: result

Expected Results

We would expect the task to fail, since Alpine is not a SELinux-enabled OS. In fact, the BusyBox version of useradd used on Alpine returns:

useradd: unrecognized option: Z
Usage: useradd [options] LOGIN
       useradd -D
       useradd -D [options]
....

For some context, on other OSes (e.g. Ubuntu, Rocky, Debian, SUSE Leap, RHEL, Fedora) we get:

TASK [Try creating user with nonexistent SELinux user] **********************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "useradd: -Z requires SELinux enabled kernel\n", "name": "badseuser", "rc": 3}

Actual Results

TASK [Try creating user with nonexistent SELinux user] **********************************************************************************************************************************************************
changed: [localhost]

Code of Conduct

  • I agree to follow the Ansible Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    affects_2.18bugThis issue/PR relates to a bug.moduleThis issue/PR relates to a module.needs_triageNeeds a first human triage before being processed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions