I have a playbook that is run once a day via an entry in the crontab. For some of the tasks defined in the playbook I need to become root on the target machine. Thus I use become together with ansible_become_pass to gain sudo priveleges. As I run it as a cronjob I cannot use --ask-become-pass. On the other side I do not want to store the sudo password in plain text in my ansible hosts file. Can I somehow pass an encrypted password to ansible?
I had a similar problem and my best solution was to create a script (in Python) that would ask for the ansible-valut password each time it started (i would put the script in crontab #reboot). When I entered the password, it would be saved in a variable, thus being present in memory while the program was running in the background (to run in the background it would fork and redirect the stdout and stderr). The script would then use the Python "child" module to execute the ansible playbook (or command) and automatically send the vault password. After each ansible execution, the program would sleep for 24 hours.
I just wanted to give you an idea of a possible workaround. This is not technically a service/daemon, but it's not very different.
Related
I have a physical machine (Win7) and a virtual machine (Red Hat) sharing a network. I am executing a bash script as a Jenkins job using the SSH plugin for Jenkins to deploy an application from the physical machine to the virtual machine.
I cannot use Root users due to security policy on the machine I want the script executed on and am instead limited to using standard users with sudo access.
However, I want the script to run without interruption (I don't think Jenkins even allows you to enter user passwords when running bash scripts? Also, this doesn't seem like best practice anyway).
Is there any method of bypassing the sudo request or configuration of the script that would allow this process to run the way I wish?
You can use a NOPASSWD directive in /etc/sudoers; see the sudoers manual page.
If that is not possible, you can always use expect to feed the password (stored somewhere in the account) to the sudo process. This is probably against your security policy as well. You need to talk to the people who make the policy for advice on how you can automate these jobs (“digital transformation” and all that).
I'm writing a shell script to connect to a Linux based remote machine using ssh
After successfully logging in to the remote machine I'm able to execute Linux commands, now the real problem I'm facing is when trying to run the same script for another remote machine which will ask for a local authentication(username and password) upon ssh login to proceed further.
Can someone guide me on how to fill the first line with my username and immediately do a carriage return and perform similar action for password.
I've tried the below code connect.sh
sshpass -p <remote-passwd> ssh root#<remote-ip> 'bash -s' < test.sh
test.sh contain
ls
pwd
If I run connect.sh script it executes perfectly without asking for remote machine password. It also executes ls and pwd
Can I actually replace ls and pwd with my username and password to achieve what I'm trying to do??
Also, Am I looking on something which is not possible?? (I have seen a similar code in VB.NET which is solving my purpose but it is not a robust code and I really don't have any idea on VB scripts)
Update: I'm able to login to remote machine non interactively, but the remote machine environment immediately asks for a local authentication which again requires keyboard interaction, I'm looking for achieving this authentication non interactively
If at all possible, you should configure a public key on the server so you don't have to supply a password. This is more secure and will solve your problem more directly.
You may also want to look into orchestration frameworks, rather than implementing this all yourself. If you're doing small things, Fabric is a good option. If this looks like it'll become something much larger, you should look into something like Ansible, which can also additionally handle system configuration and a million other things, but requires very little setup to get started with.
Since I dont have root access, I cannot add the script to .profile.
I tried to use crontab to make it run every 10 secs. Even that is not allowed, since I am not root.
In executing the program in cron there is no need of root permission. Because
each and every user should have the separate cron entry. So you can do that using cron.
Your ~/.profile should be under your control, as should your own crontab. That is, unless your sysadmin has gone out of her way to prevent users from manipulating these. In which case, you will just need to talk to them.
If your ~/.profile is not loading you may want to try ~/.kshrc if you are using Korn Shell as your user's shell. Or if it's bash you can use ~/.bashrc or ~/.bash_profile (this is most common on linux).
I need to get a hold of web-server logs by regular users who have /bin/bash as their shell enabled. Logs are stored in a directory which has drwx------ permissions and is owned by root:root so obviously they can't access any files in it (and yes, I can't really change this permissions setup).
The system(s) is Debian Linux. So I'm looking for some wrapper script, it might not be bash exactly, which, in my vision, will do the following:
you pass one argument to it - a sitename - i.e. site.com;
it greps all the lines containing this site.com;
stores the result to user home dir.
This part is easy, the real problem arises when you want to bypass restrictions yet to stay (at least somewhat) safe. So:
script must only be started after password is provided for it to be run;
in case of bash scripts they are run with permissions of the user account who ran it - so my guess is it should have su -m root -c 'grep ...' in it, but I found no way how to pass password to the prompt inside the script so far (sudo is not exactly suitable unfortunately);
if there is a way to pass password to su from inside the script then of course script itself must have permissions 751 and owner of root:root - so that the end user who runs the script (or anyone else) won't be able to see the script's content.
I'm open to suggestions how this should be done or if it's should be done at all (at least this way) :) Thank you.
Given what I understand of your needs, I summarize here the various options that come to my mind. In no particular order:
Use sudo together with a policy file (/etc/sudoers -- edit with
visudo) to restrict the commands available to the user
Use a cron job (more or less smart) to collect data on the server at regular
intervals and store them at a location accessible to you (or mail them to you...)
If you have administrative access to the server, you might create a special user with
the "log-grepping" tool as connection shell (/etc/passwd)
If you have ssh access to your server, you may also use the
authorized_keys file on the server to restrict remote command over ssh
Those are only general directions. Read about them. Try them. And if you're struggled, don't hesitate to post an other question!
As a last word, as it has already been stated in a comment, please refrain yourself to develop your own "security restriction system". sudo, ssh, pam (and probably others ... selinux?) have been specifically crafted for that purpose...
I have a question closely related to this thread:
Best practice to run Linux service as a different user
but I need the solution to work in "every" Linux distribution.
I would like to run a program as a non root user from a script. This way, when init.d starts up the services at boot time as root, the script launches the process as the non-root user I specify. Of course the solution shouldn't prompt for a password.
I think this is the normal/correct procedure when deploying applications.
How could I do that?
Thanks a lot
A good way would be to drop privileges from your actual program. Then just pass that user as a parameter. Inside you can handle it in a very standard way (setuid())
Otherwise su -c 'your command' different_user will work just fine on any linux. (as long as different_user exists)
There are two ways:
sudo command - you need to add the original user to /etc/sudoers with such entry that the program can be run without (NOPASSWD)
seteuid() system call (if you can modify the program)
If you are root, you can also use su (see #cnicutar's answer for details)