ErrorNotes

Fix Ansible Ignoring ansible.cfg in World-Writable Directory

beginner๐Ÿ”ง Ansible2026-05-07| Ansible 2.x and later, Linux/macOS, any directory with chmod 777 or other-write permissions

Error Message

Ansible is being run in a world writable directory (/path/to/dir), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
#ansible-cfg#permissions#world-writable#configuration

What you're seeing

You run a playbook and Ansible isn't picking up your ansible.cfg โ€” or you see this warning in the terminal:

Ansible is being run in a world writable directory (/path/to/dir), ignoring it as an ansible.cfg source.
For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir

The playbook keeps running, but with default settings โ€” or worse, it silently picks up a config from somewhere else. Inventory paths, become settings, SSH options: any of these can behave differently than you expect without a single error message.

Why Ansible does this

Ansible refuses to load ansible.cfg from a directory that anyone on the system can write to. The security reason is straightforward: if other users can write to that directory, they could drop a fake ansible.cfg there. That fake config could then override your SSH keys, privilege escalation settings, or callback plugins โ€” without you noticing.

This check landed in Ansible 2.4 and has no override flag. There's no environment variable to skip it. The only way forward is fixing the directory permissions.

Check your current permissions

Before touching anything, confirm what you're actually dealing with:

ls -ld /path/to/dir

A world-writable directory looks like this โ€” spot the w in the last triplet:

drwxrwxrwx 3 alice devops 4096 May  6 10:00 /path/to/dir
#        ^--- this "w" is the problem

Ansible rejects any directory where "others" have write access. That's the third group of three characters in the permission string. drwxrwxrwx (777) triggers it. drwxrwxr-x (775) does not โ€” others can only read. When in doubt, look at that last w.

Quick fix: remove world-write permission

Strip the world-writable bit:

chmod o-w /path/to/dir

For most project directories, 755 is the right call:

chmod 755 /path/to/dir

Verify it worked:

ls -ld /path/to/dir
# Should now show: drwxr-xr-x

Run the playbook again. The warning disappears and Ansible loads your config normally.

If it's a shared or system directory

Sometimes you're inside /tmp, a shared workspace, or a CI/CD agent directory that's intentionally world-writable โ€” and you can't just change those permissions. Two options:

Option 1 โ€” Move your ansible.cfg somewhere safer

Ansible searches several locations in a fixed order. Your home directory is one of them, and it's almost always a safe permission.

mkdir -p ~/.ansible
cp ansible.cfg ~/.ansible/ansible.cfg

Or skip the directory search entirely with ANSIBLE_CONFIG. Point it at the file directly โ€” Ansible skips the directory permission check when you use this variable:

export ANSIBLE_CONFIG=/home/alice/secure-dir/ansible.cfg
ansible-playbook site.yml

Option 2 โ€” Fix permissions in your CI/CD pipeline

Checkout directories in CI often get broad permissions by default. Add a step before your Ansible run to tighten them:

# GitHub Actions
- name: Fix workspace permissions
  run: chmod 755 $GITHUB_WORKSPACE

- name: Run playbook
  run: ansible-playbook site.yml

GitLab CI:

before_script:
  - chmod 755 "$CI_PROJECT_DIR"

Confirm the fix worked

Check which config file Ansible is actually loading:

ansible --version

Look at the config file line:

ansible [core 2.16.0]
  config file = /path/to/dir/ansible.cfg   โ† should point to your file now
  configured module search path = ...
  ...

If it still shows config file = None or an unexpected path, the directory permissions aren't fixed yet โ€” or Ansible is finding a different config higher up in the search order.

For a full picture of every active setting and where it came from, run:

ansible-config dump --only-changed

Common mistakes after fixing

  • Fixing the file, not the directory โ€” Ansible checks directory permissions. Running chmod 600 ansible.cfg does nothing here; you need to fix the folder that contains the file.
  • Nested directories โ€” If your ansible.cfg sits at /shared/projects/myapp/, fix that directory. Not its parent. Ansible checks only the directory that directly contains the config file.
  • Working from /tmp โ€” /tmp has the sticky bit (drwxrwxrwt) but is still world-writable. Ansible will ignore any ansible.cfg there. Move your project to a proper working directory.

Tips

Permission numbers like 755 or 777 can be hard to read at a glance. The Unix Permissions Calculator on ToolCraft lets you type in any chmod value and see exactly which read/write/execute bits are set for owner, group, and others โ€” handy before you change permissions on a shared directory.

For group_vars or host_vars files that won't parse as expected, the YAML โ†” JSON Converter is a quick way to catch indentation errors: paste your YAML, convert to JSON, and any structural problems surface immediately.

Related Error Notes

Fixing the 'ansible_distribution is undefined' Error in Ansible Playbooks

The conditional check failed. The error was: 'ansible_distribution' is undefined

Fix: Ansible 'json_query' filter requires 'jmespath' to be installed on the Ansible controller

The task includes an option with an undefined variable. The error was: 'json_query' filter requires 'jmespath' to be installed on the Ansible controller

Solving Ansible's 'NoneType is not iterable' Error in Conditional Checks

The conditional check 'item in some_var' failed. The error was: argument of type 'NoneType' is not iterable