Ansible: sudo without password - linux

I want to run ansible with user sa1 without sudo password:
First time OK:
[root#centos1 cp]# ansible cent2 -m shell -a "sudo yum -y install httpd"
cent2 | SUCCESS | rc=0 >>
Second time FAILED:
[root#centos1 cp]# ansible cent2 -s -m yum -a "name=httpd state=absent"
cent2 | FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "",
"module_stdout": "sudo: a password is required\r\n",
"msg": "MODULE FAILURE",
"parsed": false
}
Please help!

It's not ansible it's your server's configuration. Make sure that sudo is allowed for the user ansible is using without password.
To do that login to the server
Open the sudoers file with sudo visudo
Make sure you have a line something like this: centos ALL=(ALL) NOPASSWD:ALL
Replace centos with the your user
Save the file
You can try from the server itself by running:
sudo -u [yourusername] sudo echo "success"
If this works it should work from ansible too.

By default ansible runs sudo with the flags: -H -S -n to become root. Where --non-interactive would be the corresponding long form for option -n. This option seems to make sudo return the error message, without attempting to let the authentication modules do their thing.
I managed to get around the password error by creating a ~/.ansible.cfg containing lines as below, for the most relevant ansible version.
ansible 2.4
[defaults]
sudo_flags = --set-home --stdin
ansible 2.9
[sudo_become_plugin]
flags = -H -S
That was at least enough to allow pam_ssh_agent_auth.so to run and authenticate me.
Prior to version 2.8 the above example works, newer than 2.8 requires the second example. Documentation for the new style configuration can be found in the Ansible User Guide.

Here's the playbook in case you want ansible make it for you
Add user to chosen group ( in my case wheel)
Add this to your playbook
- name: Make users passwordless for sudo in group wheel
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'

Related

Ansible become_user useradd issue

When trying to add a user using Ansible, I set ansible_become_user in my inventory to an account on the server that is a sudoer, but adding a user still fails with this error:
usermod: cannot open /etc/passwd usermod: failed to unlock /etc/passwd
I tested on the server running the command like this from my normal ssh account:
sudo -u <sudo_user> useradd test
useradd: cannot open /etc/passwd
useradd: failed to unlock /etc/passwd
If I su to my sudo account and run sudo useradd test, it works just fine.
I can also get it to work from my base SSH account by running su <sudo_user> -c "sudo useradd test".
The variable to set on your playbook/task is become_user not ansible_become_user. ansible_become_user is used when you set the value for a specific host/group in your inventory. See the privilege escalation doc
Moreover, you also have to set become: true for the above option to have any effect.
A quick example (does not become anything with debug, just to put you on track)
---
- hosts: all
become: true
become_user: someone
tasks:
- name: dummy task with play's defaults
debug:
msg: I would run with play's become_user
- name: dummy task with overriden user
become_user: some_other
debug:
msg: I would run with the overriden become_user
You can try another option, that is execute it like other user, for example root, and try it again.
For do it, edit /etc/sysconfig/jenkins
Then search for:
JENKINS_USER="jenkins"
And change it for
JENKINS_USER="root"
This should resolve the issue.
Another way is to add jenkins to visudo

Ansible sudo default prompt

When we issue a sudo request via ansible, ansible using the –p option of sudo to display a customized message (which is generated dynamically with each ansible run ) using the command
sudo -H -S -p "[sudo via ansible, key=vrioenmynjfokqgzjxywtayyaivnxspy] password: " <command Name>
This has been observed via -vvv mode.
The problem is we have a situation where the default custom sudo prompt is fixed and cannot be overriden using sudo -p option (beause sudo access is verified via third-party tool Active directory).
Say for example:
sudo ls -l:
use Window's password:
If I use sudo -p
sudo -p 'Enter your password:' ls -l
use Window's password:
When ansible tries to do sudo , it expects the custom prompt and then if the expected custom prompt matched with the thrown custom prompt ansible sends the password, otherwise not and results in error (timeout)
My question is is there any way
sudo -H -S -p "[sudo via ansible, key=vrioenmynjfokqgzjxywtayyaivnxspy]
the custom prompt using -p option in ansible can be made fixed for every ansible run using some configuration
Set the ansible_become_exe parameter for a task, play, or in the inventory.
For example:
- name: Check escalation
vars:
ansible_become: true
ansible_become_exe: 'sudo -p "[sudo via ansible, key=vrioenmynjfokqgzjxywtayyaivnxspy]"'
command: whoami

Unable to run Ansible with sudo user

We have a user userA on the server which has access to sudo. I can login into the server and run sudo su - userA to switch to new user. However if I use Ansible, it is throwing me below error:
fatal: [node1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to node1 closed.\r\n", "module_stdout": "\r\nSorry, user abc is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-pzwmlpcvzvwafleunmvpwioi; /usr/bin/python /var/tmp/ansible-tmp-1533926060.36-184244176073120/setup.py' as userA on node1.\r\n", "msg": "MODULE FAILURE", "rc": 1}
Ansible file:
---
- hosts: all
become: yes
become_user: userA
become_method: sudo
tasks:
- name: Create file
command: touch /home/userA/testing
We don't have access to sudoers file. Is there a way to fix this without changing sudoers file?
I depends... If the sudoers configuration permits running /usr/bin/su - userA* (with a wildcard at the end allowing for the -c argument), then you can add become-configuration to your task in the following way:
- name: Create file
command: touch /home/userA/testing
vars:
ansible_become: true
ansible_become_method: su
ansible_become_user: userA
ansible_become_exe: 'sudo -p "Password: " su -'
If the password is required by sudoers, you must run ansible-playbook with --ask-become-pass (-K) option and connecting user's password (as for sudo).
First three parameters can be written directly as parameters to the task / play.
Otherwise you are probably destined for running expect module (likely on the controller machine) with all the drawbacks.
you can SetUID chmod u+s file on the files you want to run with UserA from userB. For Example, /usr/bin/passwd is a root file which has SetUID, so, any user can change its own passwd (using passwd command) while running the /usr/bin/passwd as root.
ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd
passwd
Changing password for user user.
Changing password for user.
(current) UNIX password:

How to grant Nagios permissions to run some commands in custom script?

I have been making some custom shell scripts for my nagios machine. I was able to make them run just fine but for some reason some commands in the script don't seem to be working.
For instance commands like echo, cut , ps , grep work fine but commands like touch, useradd dont seem to work, even with sudo. If I run the script from the terminal, all the commands in the script work.
How can I give nagios permissions to run these commands?
I'm running nagios3 on ubuntu 14.04.5 lts
Edit: Added a few lines of code which aren't being run
sudo useradd -m $USERNAME
(echo $PASSWORD; echo $PASSWORD) | sudo smbpasswd -s -a $USERNAME
Standard way is setup permission for Nagios user on monitored server, for instance NRPE, in /etc/sudoers file.
1. method
Try add something like this in your sudoers file.
Defaults:nrpe !requiretty
nrpe ALL= NOPASSWD: useradd -m
nrpe ALL= NOPASSWD: smbpasswd -s -a
PS: For easy editing sudoers file you can use visudo command ;-)
2. method
Or you can try add Nagios user to sudo group via sudo usermod -aG sudo <username>
-a stands for add
G is for group
Tell nagios to run the script as sudo in your .cfg file...
Assuming its permissions problem.
Edit /etc/sudoers file using visudo, this allows automatic file check for errors.
Defaults:nrpe !requiretty
nrpe ALL=(root) NOPASSWD: /path/to/your/command/or/script
Verify sudo has assigned the above permissions to the user in this case nrpe
sudo -U nrpe -l
you should see the command you added listed within the outpul
Edit /etc/nagios/nrpe.cfg
Add your command to the end of the file
e.g.
command[your_command]=/usr/bin/sudo /path/to/your/command/or/script
Restart nrpe
Centos: systemctl restart nrpe (use the command available based on your Operating system)

How i can remove -u in sudo option string by ansible config

I try configure ansible for become other user:
My ansible.cfg entries
sudo_flags=
ssh_args = -t -t
sudo_exe = sudo /bin/su
I can escalate privilege on remote host only one way (and this works in ssh session):
sudo /bin/su anyuser -
Example playbook:
---
- hosts: anyhosts
become: true
become_user: anyuser
tasks:
- name: check becoming anyuser
command: "ls -ltha"
When i run my simple playbook, in verbose log output i see -u option:
'"'"'sudo /bin/su -u anyuser -
How i can disable/remove this -u option in playbook or ansible.cfg?
You have told Ansible that sudo is sudo /bin/su, but as far as Ansible knows it's still using sudo, which supports -u argument. If you want to use some other command for privilege escalation, consider setting become_method.
However, it's not clear why you're not just using sudo, since you appear to have sudo privileges. Possibly setting sudo_exe = sudo sudo would actually solve the problem, since the first sudo would get you root access (which appears to work just fine, based on your question), and then root would be able to run sudo -u ..., which should work just fine.

Resources