AnswerBun.com

sudo twice become method for Ansible

Server Fault Asked by Beam Davis on January 3, 2022

I have to deal with a setup in "/etc/sudoers" that I can’t change because the servers in question are managed by a different team and they don’t want to change it.

I have root access only by sudoing to another account first. My account is only allowed to run the specific command "sudo su – admin" (no additional arguments can be appended). Then, as user "admin", I can run any root commands normally with sudo (e.g., "sudo vi /etc/shadow", etc.) or open a root shell with "sudo -s" or "sudo su -", etc.

I want to run Ansible ad-hoc commands and playbooks as root (e.g., "become: yes") on these servers from a different server that I control, but it would require that Ansible first run "sudo su – admin", then run the normal "sudo" command.

I know you can create custom become methods. This seems to me the way to solve this problem, but the specific solution is beyond me. Can anyone help with this?

BTW, if it helps, "NOPASSWD:" is set for both my account and "admin" in "/etc/sudoers".

One Answer

It's hard to manage systems this way/automate things. I don't really have a straight answer for you but it might be a starting point and give you some ideas.

Assuming the following on the remote server:

[[email protected] ~]# grep "gheo|admin" /etc/sudoers
Defaults:admin !requiretty
Defaults:gheo !requiretty
gheo ALL=(ALL) NOPASSWD:/bin/su - admin
admin ALL=(ALL)       NOPASSWD: ALL

Play:

---
- name: something
  hosts: node3
  vars:
    maybe: "sudo su - admin <<EOFnsudo su -"
  tasks:

    - name: check something
      shell: "{{ maybe }}; sudo tail -1 /etc/shadow"
      register: aa

    - debug:
        var: aa.stdout_lines

Output:

PLAY [something] *******************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************
ok: [node3]

TASK [check something] *************************************************************************************************************************************************************************
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

changed: [node3]

TASK [debug] ***********************************************************************************************************************************************************************************
ok: [node3] => {
    "aa.stdout_lines": [
        "Last login: Sat Aug  8 01:05:16 CEST 2020",
        "admin:!!:18481:1:90:7:::",
        "Last login: Sat Aug  8 01:05:16 CEST 2020"
    ]
}

PLAY RECAP *************************************************************************************************************************************************************************************
node3                      : ok=3    changed=1    unreachable=0    failed=0

Unfortunately I don't see this working for anything other that shell module, or maybe command, I didn't try that one.

Another option, although I don't know how practical, would be to use ansible to run a script on remote server.

[[email protected] ~]$ cat /home/gheo/bla.sh
#!/bin/sh
sudo su - admin <<EOF
sudo su -
tail -1 /etc/shadow
EOF

[[email protected] ~]$ ansible node3 -a "/home/gheo/bla.sh"
node3 | CHANGED | rc=0 >>
admin:!!:18481:1:90:7:::
Last login: Sat Aug  8 01:03:28 CEST 2020
Last login: Sat Aug  8 01:04:24 CEST 2020 on pts/2

You did not mention but I assumed you cannot log in directly as "admin" user, it would be easier if you could.

Answered by zorry on January 3, 2022

Add your own answers!

Related Questions

Apache service doesn’t start after deleting log files

2  Asked on November 9, 2021 by nikola-lukic

   

how to audit a reboot?

1  Asked on November 9, 2021 by arpton

   

Journal Office 365 Doesn’t Work

1  Asked on November 9, 2021 by aliga

         

Azure RBAC Role to Publish and Mange APPS

1  Asked on November 9, 2021 by kashif-rashid

   

kubectl diff on PowerShell?

1  Asked on November 7, 2021 by grilse

     

SSH Client sporadically hangs for few seconds

1  Asked on November 7, 2021 by nabil-sham

     

snort rule for rdp dos attack

1  Asked on November 7, 2021

       

Pool gone with upgrade to Ubuntu 20.04

1  Asked on November 7, 2021 by florentr

     

Ask a Question

Get help from others!

© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir