TransWikia.com

sudo twice become method for Ansible

Server Fault Asked by Beam Davis on January 3, 2022

I have to deal with a setup in "/etc/sudoers" that I can’t change because the servers in question are managed by a different team and they don’t want to change it.

I have root access only by sudoing to another account first. My account is only allowed to run the specific command "sudo su – admin" (no additional arguments can be appended). Then, as user "admin", I can run any root commands normally with sudo (e.g., "sudo vi /etc/shadow", etc.) or open a root shell with "sudo -s" or "sudo su -", etc.

I want to run Ansible ad-hoc commands and playbooks as root (e.g., "become: yes") on these servers from a different server that I control, but it would require that Ansible first run "sudo su – admin", then run the normal "sudo" command.

I know you can create custom become methods. This seems to me the way to solve this problem, but the specific solution is beyond me. Can anyone help with this?

BTW, if it helps, "NOPASSWD:" is set for both my account and "admin" in "/etc/sudoers".

One Answer

It's hard to manage systems this way/automate things. I don't really have a straight answer for you but it might be a starting point and give you some ideas.

Assuming the following on the remote server:

[root@node3 ~]# grep "gheo|admin" /etc/sudoers
Defaults:admin !requiretty
Defaults:gheo !requiretty
gheo ALL=(ALL) NOPASSWD:/bin/su - admin
admin ALL=(ALL)       NOPASSWD: ALL

Play:

---
- name: something
  hosts: node3
  vars:
    maybe: "sudo su - admin <<EOFnsudo su -"
  tasks:

    - name: check something
      shell: "{{ maybe }}; sudo tail -1 /etc/shadow"
      register: aa

    - debug:
        var: aa.stdout_lines

Output:

PLAY [something] *******************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************
ok: [node3]

TASK [check something] *************************************************************************************************************************************************************************
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

changed: [node3]

TASK [debug] ***********************************************************************************************************************************************************************************
ok: [node3] => {
    "aa.stdout_lines": [
        "Last login: Sat Aug  8 01:05:16 CEST 2020",
        "admin:!!:18481:1:90:7:::",
        "Last login: Sat Aug  8 01:05:16 CEST 2020"
    ]
}

PLAY RECAP *************************************************************************************************************************************************************************************
node3                      : ok=3    changed=1    unreachable=0    failed=0

Unfortunately I don't see this working for anything other that shell module, or maybe command, I didn't try that one.

Another option, although I don't know how practical, would be to use ansible to run a script on remote server.

[gheo@node3 ~]$ cat /home/gheo/bla.sh
#!/bin/sh
sudo su - admin <<EOF
sudo su -
tail -1 /etc/shadow
EOF

[gheo@mgt1 ~]$ ansible node3 -a "/home/gheo/bla.sh"
node3 | CHANGED | rc=0 >>
admin:!!:18481:1:90:7:::
Last login: Sat Aug  8 01:03:28 CEST 2020
Last login: Sat Aug  8 01:04:24 CEST 2020 on pts/2

You did not mention but I assumed you cannot log in directly as "admin" user, it would be easier if you could.

Answered by zorry on January 3, 2022

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP