This issue seems to be breaking the ansible lookup plugin

https://docs.ansible.com/ansible/latest/collections/community/general/onepassword_lookup.html

Thanks Jack.

Hi @gunzy83:

Sorry about that, it looks like your comments might have got caught in our spam filter. What I can tell you is that we're looking into this and hope to share more soon.

Jack

Apologies for the duplicate comments. Every time I reloaded the page a few hours later my draft was still sitting there and my comment was not there.

Dupe

I have run into this a number of times now, and it is frustrating because it slows my development work, particularly when I just want to use existing integrations in things like Ansible but also not rely on system dependencies like system python. It appears that the op cli communicates which process is calling it to the 1password desktop app, which then checks for root ownership of that binary.

My main test case that was simple to get going was running task (taskfile.dev) installed via asdf-vm (installed in my user directory). Running the op read command in a task cmds entry would result in failure:

WARN 2023-02-14T08:14:33.816 tokio-runtime-worker(ThreadId(5)) [1P:foundation/op-sys-info/src/process_information/linux.rs:247] binary permission verification failed for /home/$USER/.asdf/installs/task/3.17.0/bin/task
INFO 2023-02-14T08:14:33.816 tokio-runtime-worker(ThreadId(5)) [1P:native-messaging/op-native-core-integration/src/lib.rs:305] Extension connecting.
ERROR 2023-02-14T08:14:33.816 tokio-runtime-worker(ThreadId(5)) [1P:native-messaging/op-native-core-integration/src/lib.rs:481] Failed to accept new connection.: PipeAuthError(UnknownPeer(BinaryPermissions))

However, adding a shim script in the middle (run using system bash which is owned by root) works. This led me to creating this script in ~/.bin/op (~/.bin is on my path) for my test cases:
```

!/bin/bash

/usr/bin/op $@
``
I was usingpstree -aps $$in earlier versions of the script to look at the process call tree, but it really wasn't necessary as it appears only the one immediately before runningop` actually matters. With this, calling op directly from task, python and others just work. This is trivially bypassing the restriction on binary ownership which just seems to get in the way.

@Jack.P_1P Forgive my ignorance, you can tell me this is all kinds of awful and to knock it off, but would it be possible to share with us the security reasons for the binary ownership restriction? It would also be good for this to be documented somewhere.

@rsysring I saw you were trying to use pyenv. I am wondering if the shim process the pyenv and other tools like asdf use may be an issue also.

I'd add this to my past comment but it is apparently being moderated:

$ op --version
2.12.0
$ 1password --version
8.9.10

Any resolution to this? I'm having the same problem trying to call op from a Python script.

Additionally, setting the python binary and it's directory to be owned by root did not resolve my issues.

Logs. First one shows successful signin from bash CLI. Second one shows attempt from Python using it's subprocess module.

INFO 2022-12-23T03:05:50.345 tokio-runtime-worker(ThreadId(10)) [1P:native-messaging/op-native-core-integration/src/lib.rs:305] Extension connecting.
INFO 2022-12-23T03:05:50.345 tokio-runtime-worker(ThreadId(10)) [1P:native-messaging/op-native-core-integration/src/lib.rs:307] Extension connection accepted.
ERROR 2022-12-23T03:05:54.467 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:60] message from b5x was None: EndConnection
ERROR 2022-12-23T03:05:54.467 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/connection_handler.rs:31] Dropping connection with b5x due to error handling incoming message: EndConnection
WARN 2022-12-23T03:06:14.128 tokio-runtime-worker(ThreadId(2)) [1P:foundation/op-sys-info/src/process_information/linux.rs:247] binary permission verification failed for /shared/apps/pyenv/versions/3.10.6/bin/python3.10
INFO 2022-12-23T03:06:14.128 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/lib.rs:305] Extension connecting.
ERROR 2022-12-23T03:06:14.128 tokio-runtime-worker(ThreadId(2)) [1P:native-messaging/op-native-core-integration/src/lib.rs:477] Failed to accept new connection.: PipeAuthError(UnknownPeer(BinaryPermissions))

You're very welcome.

Jack_P_1P, thanks for the update. I have a workaround (chmod root:root) but the behavior is odd and it does make it considerably harder to use a debugger on my executable. I tried to reproduce it with a test executable in place of op but I could not replicate the owner-dependent behavior. I tried running op with strace, but that gave me the same error. I read that ptrace no longer respects setuid/setgid bits because of potential vulnerabilities, but I expected to see a failed setgid syscall, which I did not see. So I guess op is using the effective GID or doing some other magic.