I would like to know how ansible module invoke particular command in linux machine.
Example: when we use module user, does this module trigger useradd or adduser in linux machine.
My use case is I want to limit sudo access to user that runs ansible scripts so that I can give only required permissions to particular user by adding following entry in /etc/sudoers.
%sftpadmin ALL=NOPASSWD: /usr/sbin/useradd,/usr/sbin/adduser,/usr/bin/passwd,/usr/sbin/usermod,/usr/sbin/groupadd,/usr/bin/chgrp,/usr/bin/chmod,/usr/bin/chown,/usr/bin/systemctl,/usr/sbin/service
if it ansible use any other way to perform tasks, let me know what can be done to minimise the user sudo access this scenario.
Thanks in advance.
From the ansible.builtin.user module documentation:
On all other platforms, this module uses useradd to create, usermod to modify, and userdel to remove accounts.
Source
But as Zeitounator said above, you cannot limit privilege escalation permissions to certain commands.
Related
I need to use getenv to determine whether the system is X11 or Wayland, and DBUS to realize the screen capture function.
They work well without sudo.
However, when using sudo, getenv gets the wrong value and gdbus cannot locate DBUS.
I'm pretty sure this is a problem with sudo because I tried
echo $WAYLAND_DISPLAY and sudo echo $Wayland_DISPLAY, d-feet and sudo d-feet. They are right when they don't use sudo.
However, due to the requirements of other functions in the program, I have to use sudo. Is there any good idea?
Is there any good idea?
By default, sudo runs the command in a new, fresh environment. From man sudo:
-E, --preserve-env
Indicates to the security policy that the user wishes to preserve their
existing environment variables. The security policy may return an error
if the user does not have permission to preserve the environment.
--preserve-env=list
Indicates to the security policy that the user wishes to add the comma-
separated list of environment variables to those preserved from the user's
environment. The security policy may return an error if the user does not
have permission to preserve the environment. This option may be specified
multiple times.
You can list the variables you want to preserve.
sudo --preserve-env=DBUS_SESSION_BUS_ADDRESS,DISPLAY,WAYLAND_DISPLAY,other_variables,etc command
Till now I had been using become: true for running a task as root user (whenever required).
But this time the hardware I am trying to control is a bit different. Its a VM controlled by a different team, where the sudo operations are restricted. You are not allowed to do sudo su either. Simply, sudo is not permitted.
In case you want to switch to a root shell, you have to execute a command (which maps to a binary) sudo rootshell (the only operation permitted with sudo). This is done in order to log sudo attempts.
Now, this fails my playbook as I cannot use become: true in case I want to install some package. Does ansible playbook provide any solution for this? I tried shell: sudo rootshell and failed, but even if it would have worked I don't feel the session will be maintained across tasks.
While creating an rpm spec file I have created a new user and group in the %pre section. This new user does not however have permission to login from from shell for security purposes. Now when I install the rpm this new user is successfully created. However, I wish to start the installed rpm service with the newly created user. Currently I simply write; 'filePath/file.exe file.cfg' to execute the file.exe with its configuration file i.e. file.cfg in my 'init.d' file to start the service. How can I modify this command to start the same service but with the user that I created while installing the rpm? Basically I want to execute the program in my init.d file but through a different user, like I would have done with sudo if my required user was the super user. Any feedback will be highly appreciated.
Your initial starting point both for installing the rpm and for running the service is privileged. For instance, on my CentOS 6 machine, I see in /etc/passwd
games:x:12:100:games:/usr/games:/sbin/nologin
but running as root, I can do this:
$ sudo -u games /bin/sh
sh-4.1$ echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin
sh-4.1$ id
uid=12(games) gid=100(users) groups=100(users) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
sh-4.1$ cd
sh-4.1$ pwd
/usr/games
In your service script, you can use sudo to run a given process as another user (though a quick check of the same machine does not show this being done).
#msuchy points out that runuser may be preferable. I see that this is relatively recent (according to Ubuntu runuser command?, appeared in util-linux 2.23 -- lacking a date makes release notes less than useful...). The oblique comments in its documentation about PAM make it sound as if this circumvents some of the security checks. Perhaps someone has a better comment about that.
I recently noticed a fairly strange and for me unexpected behaviour in Xubuntu 12.04 and 14.04.
I was doing the following:
Testing if my user in in the group users, with
groups $USER
This is not the case by default. So I add my user to this group:
sudo usermod -a -G users $USER
I the can check the file /etc/group and will see my user added in the entry.
I then would like to give the group users access to some files, in my example the www and cgi-bin directory:
sudo chgrp users /var/www /usr/lib/cgi-bin
I also want that my group can write into the directories:
sudo chmod g+w /var/www /usr/lib/cgi-bin
I would assume, that I can now create a file in those directories, but I can't. Neither by commandline, nor by the standard filebrowser from Xubuntu.
Somewhere I read, that I need to logout from the terminal to make it work, so I close and reopen the commandline terminal, but it is still now working.
But: It I reboot the whole system everything works as it should...
Seriously??? Why is this, is it a bug or a feature and are there better ways then restarting the complete OS?
(I thought the strength of Linux is exactly that you don't need to reboot all the time like in other "popular" OS)
(Note: I have not tested this on other systems as e.g. Debian yet...)
Group memberships are inherited from process to process like many other things in a unixoid environment. That means a running shell will not be affected from such changes in the account configuration. Also just opening a new terminal or shell will not show the change, since it is spawned from an already running process, ultimately from the initial process started right after the login.
You have to re-run the login process instead. Either by restarting the graphical environment, or by doing a logout/login sequence when working on the virtual terminals. Also obviously rebooting will lead to a new login process.
The only direct alternative is to spawn a new login shell explicitly: bash -l for example does the trick: it re-executes all stuff run through at login time. But note that this only effects that started shell and processes spawned from it. It does not affect other already running processes. So you have a somewhat mixed environment then...
I've got an SVN instance installed on a free EC2 AWS server. In short: I'm using LAMP.
Using what I read in this article and encountered the "you need a TTY" error as mentioned in the comments. I followed the second resource and it cleared the error message, but doesn't seem to be executing the script. When I manually run the script, however, it works.
Any clue what I'm missing?
When I followed the second resource to fix the TTY error I changed the contents of my /svn/repository/hooks/post-commit script from:
#!/bin/bash
sudo /usr/local/bin/svn-post-commit-update-mysite 1>&2
to:
#!/bin/bash
su –session-command=”/usr/local/bin/svn-post-commit-update-mysite 1>&2″ dynamic &
First possible issue:
You cannot rely on the value of the $PATH variable inside the hook. This means you need to specify complete paths for all executables.
In particular, "su" is a program located in "/bin/sh" in most distributions. To be sure, type
type su
Next possible issue:
Is your subversion server being run as root? su will try to ask for password if run by other users, and will fail if it's not being run interactively - even if the user is in the sudoers file!
If you are using Apache+DAV, this means the apache service must be run as root for this to work (instead of www-data), which is a serious security problem.
You probably don't need to use su or sudo at all if all of the files are owned by the same user (www-data, for instance). You can change the ownership of the site files with something like
sudo chown -R www-data:www-data /var/www/<my-project>
And then remove the sudo and su from both the hook and the svn-post-commit-update-mysite file.
My best guess would be that something in your script depends on the PATH environment variable. Subversion runs hooks in an empty environment for security reasons. So you need to either setup the environment in your shell script or use absolute paths.
You might want to read the Subversion book entry on implementing hook scripts. The particular issue I mentioned is explained in the information block.