I try configure ansible for become other user:
My ansible.cfg entries
sudo_flags=
ssh_args = -t -t
sudo_exe = sudo /bin/su
I can escalate privilege on remote host only one way (and this works in ssh session):
sudo /bin/su anyuser -
Example playbook:
---
- hosts: anyhosts
become: true
become_user: anyuser
tasks:
- name: check becoming anyuser
command: "ls -ltha"
When i run my simple playbook, in verbose log output i see -u option:
'"'"'sudo /bin/su -u anyuser -
How i can disable/remove this -u option in playbook or ansible.cfg?
You have told Ansible that sudo is sudo /bin/su, but as far as Ansible knows it's still using sudo, which supports -u argument. If you want to use some other command for privilege escalation, consider setting become_method.
However, it's not clear why you're not just using sudo, since you appear to have sudo privileges. Possibly setting sudo_exe = sudo sudo would actually solve the problem, since the first sudo would get you root access (which appears to work just fine, based on your question), and then root would be able to run sudo -u ..., which should work just fine.
Related
When trying to add a user using Ansible, I set ansible_become_user in my inventory to an account on the server that is a sudoer, but adding a user still fails with this error:
usermod: cannot open /etc/passwd usermod: failed to unlock /etc/passwd
I tested on the server running the command like this from my normal ssh account:
sudo -u <sudo_user> useradd test
useradd: cannot open /etc/passwd
useradd: failed to unlock /etc/passwd
If I su to my sudo account and run sudo useradd test, it works just fine.
I can also get it to work from my base SSH account by running su <sudo_user> -c "sudo useradd test".
The variable to set on your playbook/task is become_user not ansible_become_user. ansible_become_user is used when you set the value for a specific host/group in your inventory. See the privilege escalation doc
Moreover, you also have to set become: true for the above option to have any effect.
A quick example (does not become anything with debug, just to put you on track)
---
- hosts: all
become: true
become_user: someone
tasks:
- name: dummy task with play's defaults
debug:
msg: I would run with play's become_user
- name: dummy task with overriden user
become_user: some_other
debug:
msg: I would run with the overriden become_user
You can try another option, that is execute it like other user, for example root, and try it again.
For do it, edit /etc/sysconfig/jenkins
Then search for:
JENKINS_USER="jenkins"
And change it for
JENKINS_USER="root"
This should resolve the issue.
Another way is to add jenkins to visudo
When we issue a sudo request via ansible, ansible using the –p option of sudo to display a customized message (which is generated dynamically with each ansible run ) using the command
sudo -H -S -p "[sudo via ansible, key=vrioenmynjfokqgzjxywtayyaivnxspy] password: " <command Name>
This has been observed via -vvv mode.
The problem is we have a situation where the default custom sudo prompt is fixed and cannot be overriden using sudo -p option (beause sudo access is verified via third-party tool Active directory).
Say for example:
sudo ls -l:
use Window's password:
If I use sudo -p
sudo -p 'Enter your password:' ls -l
use Window's password:
When ansible tries to do sudo , it expects the custom prompt and then if the expected custom prompt matched with the thrown custom prompt ansible sends the password, otherwise not and results in error (timeout)
My question is is there any way
sudo -H -S -p "[sudo via ansible, key=vrioenmynjfokqgzjxywtayyaivnxspy]
the custom prompt using -p option in ansible can be made fixed for every ansible run using some configuration
Set the ansible_become_exe parameter for a task, play, or in the inventory.
For example:
- name: Check escalation
vars:
ansible_become: true
ansible_become_exe: 'sudo -p "[sudo via ansible, key=vrioenmynjfokqgzjxywtayyaivnxspy]"'
command: whoami
I'm trying to change my user to one that doesn't need password to run ssh instructions and then do exactly that, run an ssh instruction. What I have now is:
sudo su - testUser ssh testUser#server2 'cat /home/randomUser/hola.txt'
But I'm getting the answer:
/usr/bin/ssh: /usr/bin/ssh: cannot execute binary file
if I put the instructions in a different file called testit like this:
ssh testUser#server2
cat /home/randomUser/hola.txt
and I run:
sudo su - testUser < testit
it works!, but I need to use the one line instruction, someone know what should I change to make it work?
sudo su - testUser
why don't you use just sudo -u testUser as it is supposed to be used?
But anyway, manual pages for the tools you are using is a good start. For sudo:
sudo [...] [command]
This looks good and fits into your example.
For su:
su [options] [username]
Ola ... su does not have any argument command, unless you provide also -c switch, which is written also in the manual page. And it is [option], so it should come in front of [username]! Something like this should do the job:
sudo su -l -c "ssh testUser#server2 'cat /home/randomUser/hola.txt'" testUser
but as I already mentioned, it can be significantly simplified by using sudo only:
sudo -i -u testUser "ssh testUser#server2 'cat /home/randomUser/hola.txt'"
I want to run ansible with user sa1 without sudo password:
First time OK:
[root#centos1 cp]# ansible cent2 -m shell -a "sudo yum -y install httpd"
cent2 | SUCCESS | rc=0 >>
Second time FAILED:
[root#centos1 cp]# ansible cent2 -s -m yum -a "name=httpd state=absent"
cent2 | FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "",
"module_stdout": "sudo: a password is required\r\n",
"msg": "MODULE FAILURE",
"parsed": false
}
Please help!
It's not ansible it's your server's configuration. Make sure that sudo is allowed for the user ansible is using without password.
To do that login to the server
Open the sudoers file with sudo visudo
Make sure you have a line something like this: centos ALL=(ALL) NOPASSWD:ALL
Replace centos with the your user
Save the file
You can try from the server itself by running:
sudo -u [yourusername] sudo echo "success"
If this works it should work from ansible too.
By default ansible runs sudo with the flags: -H -S -n to become root. Where --non-interactive would be the corresponding long form for option -n. This option seems to make sudo return the error message, without attempting to let the authentication modules do their thing.
I managed to get around the password error by creating a ~/.ansible.cfg containing lines as below, for the most relevant ansible version.
ansible 2.4
[defaults]
sudo_flags = --set-home --stdin
ansible 2.9
[sudo_become_plugin]
flags = -H -S
That was at least enough to allow pam_ssh_agent_auth.so to run and authenticate me.
Prior to version 2.8 the above example works, newer than 2.8 requires the second example. Documentation for the new style configuration can be found in the Ansible User Guide.
Here's the playbook in case you want ansible make it for you
Add user to chosen group ( in my case wheel)
Add this to your playbook
- name: Make users passwordless for sudo in group wheel
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
Recently updated from Postgresql 9.1 to 9.3.
Everything works fine, but I noticed now when I type in:
sudo -u postgres psql
I am getting hit with a permission denied error for changing dir to root.
"Could not change directory to /home/root.
However, when I use:
sudo su - postgres
psql
It accesses it fine. How can I fix this?
change directory to someplace that postgres has access to:
cd /tmp
sudo -u postgres psql
Try this:
sudo -i -u postgres psql
This accomplishes (almost) the same thing as your
sudo su - postgres
The - in the above indicates that you want to use the postgres account's environment. If you remove the -, it will fail similarly to sudo -u
The -i indicates that you want to run the postgres account's login shell (hence cding to their home directory).
For me this did the trick (or you'll get a could not change directory to "/root": Permission denied), pay attention to quotes (')
sudo -Hiu postgres 'pg_dump --column-inserts --data-only --table=someTable entities_db > /var/backups/anywhere/$(date +%Y%m%d_%H%M%S)_someTable.sql'
Note the -Hiufor sudo, or use su - postgres
you can also put that in a cronjob for root with crontab -e