We have a user userA on the server which has access to sudo. I can login into the server and run sudo su - userA to switch to new user. However if I use Ansible, it is throwing me below error:
fatal: [node1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to node1 closed.\r\n", "module_stdout": "\r\nSorry, user abc is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-pzwmlpcvzvwafleunmvpwioi; /usr/bin/python /var/tmp/ansible-tmp-1533926060.36-184244176073120/setup.py' as userA on node1.\r\n", "msg": "MODULE FAILURE", "rc": 1}
Ansible file:
---
- hosts: all
become: yes
become_user: userA
become_method: sudo
tasks:
- name: Create file
command: touch /home/userA/testing
We don't have access to sudoers file. Is there a way to fix this without changing sudoers file?
I depends... If the sudoers configuration permits running /usr/bin/su - userA* (with a wildcard at the end allowing for the -c argument), then you can add become-configuration to your task in the following way:
- name: Create file
command: touch /home/userA/testing
vars:
ansible_become: true
ansible_become_method: su
ansible_become_user: userA
ansible_become_exe: 'sudo -p "Password: " su -'
If the password is required by sudoers, you must run ansible-playbook with --ask-become-pass (-K) option and connecting user's password (as for sudo).
First three parameters can be written directly as parameters to the task / play.
Otherwise you are probably destined for running expect module (likely on the controller machine) with all the drawbacks.
you can SetUID chmod u+s file on the files you want to run with UserA from userB. For Example, /usr/bin/passwd is a root file which has SetUID, so, any user can change its own passwd (using passwd command) while running the /usr/bin/passwd as root.
ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd
passwd
Changing password for user user.
Changing password for user.
(current) UNIX password:
Related
I am trying to run a simple Ansible playbook that shows a content of 'home' directory.
It runs successfully, but when I use:
become_user: "{{ TARGET_USER }}"
I get error:
"sudo: a password is required\r\n"
The 'Ansible user' is "blnapp1" and the 'Target user' is "couchbase"
I added permissions for "blnapp1" and "couchbase" users inside sudoers file as follows:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
blnapp1 ALL=(ALL) NOPASSWD: ALL
blnapp1 ALL=(ALL) ALL
ansible ALL= NOPASSWD: /home/blnapp1/playbook #path to playbook
couchbase ALL=(ALL) NOPASSWD: ALL
couchbase ALL=(ALL) ALL
I also added to all of the users ssh public key of each other into /.ssh/authorized_keys
Here is my inventory file:
web1 ansible_host=**** ansible_connection=local
[couchbase-install:children]
couchbase_cluster_nodes
couchbase_server_nodes
[couchbase_cluster_nodes]
primary1 ansible_host=**** ansible_user=blnapp1 TARGET_USER=couchbase couchbase_primary_cluster_node=**** couchbase_cluster_admin_port=*** couchbase_bucket_name=exampleBucket group_server=default
[couchbase_server_nodes]
[all:vars]
#configuration_mode can be vars or cc
configuration_mode=vars
couchbase_data_path="/userdata/data/CB/var/lib/couchbase/data"
couchbase_index_path= "/userdata/data/CB/var/lib/couchbase/data"
yum_path="sudo /bin/yum"
#couchbase_admin="Administrator"
#couchbase_password="Administrator"
And here is my playbook:
---
- name: I-test
hosts: primary1
become: true
become_user: "{{ TARGET_USER }}"
tasks:
- debug:
msg: 'TARGET_USER is: "{{ TARGET_USER }}"'
- name: show repo content
shell:
cmd: ls -la /home
The only way I found is to add "blnapp1" user to 'wheel' group. However, I really don't want "blnapp1" to have 'wheel' permissions..
Thanks in advance!
blnapp1 ALL=(ALL) NOPASSWD: ALL
blnapp1 ALL=(ALL) ALL
Those 2 lines basically tell the exact same thing: let blnapp1 launch any command as anyone. But the first one tells sudo not to ask for a password while the second one doesn't.
And after testing quickly against a debian:buster docker image, it appears only the last line encountered rules in this case, making sudo always ask for a password.
Simply remove the second line in your sudoers file. Note that you have the exact same problem for your couchbase user.
When trying to add a user using Ansible, I set ansible_become_user in my inventory to an account on the server that is a sudoer, but adding a user still fails with this error:
usermod: cannot open /etc/passwd usermod: failed to unlock /etc/passwd
I tested on the server running the command like this from my normal ssh account:
sudo -u <sudo_user> useradd test
useradd: cannot open /etc/passwd
useradd: failed to unlock /etc/passwd
If I su to my sudo account and run sudo useradd test, it works just fine.
I can also get it to work from my base SSH account by running su <sudo_user> -c "sudo useradd test".
The variable to set on your playbook/task is become_user not ansible_become_user. ansible_become_user is used when you set the value for a specific host/group in your inventory. See the privilege escalation doc
Moreover, you also have to set become: true for the above option to have any effect.
A quick example (does not become anything with debug, just to put you on track)
---
- hosts: all
become: true
become_user: someone
tasks:
- name: dummy task with play's defaults
debug:
msg: I would run with play's become_user
- name: dummy task with overriden user
become_user: some_other
debug:
msg: I would run with the overriden become_user
You can try another option, that is execute it like other user, for example root, and try it again.
For do it, edit /etc/sysconfig/jenkins
Then search for:
JENKINS_USER="jenkins"
And change it for
JENKINS_USER="root"
This should resolve the issue.
Another way is to add jenkins to visudo
Obligatory 'first post' tag. Issue: Commands will not pass to command line after entering password for a sudo su - userB
I am writing a script in bash that requires to be run as a specific user. Ideally we would like this script to be able to be run on our local workstations for ease of use. Here is the command I am running to test:
ssh -qt -p22 userA#hostname "whoami; sudo su - userB; whoami"
Expected:
userA
[sudo] password for userA:
userB
With this command I am able to get the prompt for sudo password but once it is entered I am presented with a normal terminal where I can manually run commands. Once I ctrl-D/exit it runs the second whoami as the userA and closes. I work in an extremely jailed environment so sudo su -c and similar "run-as-root" commands do not work and I cannot ssh directly to userB.
Is there any way to send the commands to userB by logging in with sudo su - userB?
su creates a subshell that reads the commands from standard input by default. It executes whoami after that exits. You can use the -c option to pass a command to it.
ssh -qt -p22 userA#hostname "whoami; sudo su - userB -c 'whoami'"
You can also use the -u option to sudo instead of using su:
ssh -qt -p22 userA#hostname "whoami; sudo -u userB whoami"
I am unable to create a directory using sudo priveleges from root user and If I login to user , I can create an directory under /root using sudo. Also I have added to allow all commands in /etc/sudoers file and the details are below:
[root#linux home]# cat /etc/sudoers | grep tes
test ALL= NOPASSWD: ALL
Error
[root#linux home]# sudo -u test mkdir /var/log/test3
mkdir: cannot create directory ‘/var/log/test3’: Permission denied
Any Ideas ?
Thanks
By running 'sudo -u test', you're giving yourself lower privileges than the roor user because you're running the command as the user 'test', not 'root'. From the root user, you can just run:
mkdir /var/log/test3
Read man sudo for more info.
Or:
Run visudo and uncomment the wheel group, then add the user test to the wheel group.
If you don't mind me asking, why do you need to create a directory as a certain user from the root user? Especially since the directory you're making will not be user specific?
Also, in the sudoers file , you should what added test ALL=(ALL) NOPASSWD: ALL, not test ALL= NOPASSWD: ALL
I have added a user like this:
$ adduser --system --home /no/home --no-create-home --group --disabled-password --disabled-login testuser
Added a user to a group:
$ adduser testuser testgroup
added lines to sudoers (visudo):
testuser ALL=(ALL) NOPASSWD: ALL
%testgroup ALL=(ALL:ALL) NOPASSWD: ALL
When I try to run the bash script with the following content:
#!/bin/sh
sudo -u testuser /usr/bin/php /usr/local/bin/script.php
But when I run this script, I get the error in the log:
sudo: no tty present and no askpass program specified
Edit: requiretty is not in the sudoers file.
sudo permissions are about the user/group you are changing from not the user you are changing to.
So are those permission lines are letting the testuser user and the testgroup group run any command (as anyone) without a password.
You need to give permission to the user running the script to run commands as the testuser user for what you want.
Assuming that's what you meant to allow that is.
That error occurs when your sudoers file specifies requiretty. From the sudoers manpage:
requiretty If set, sudo will only run when the user is
logged in to a real tty. When this flag is set,
sudo can only be run from a login session and not
via other means such as cron(8) or cgi-bin scripts.
This flag is off by default.
To fix your error, remove requiretty from your sudoers file.
I fixed it by login to the server and append the following lines to the ssh-server configuration:
> vim /etc/ssh/sshd_config
Match User <your user name>
PermitTTY yes
So I don't need the -t options permanently.