Restrict Ansible script module using sudoers on the remote node

the powershell shell family is incompatible with the sudo become plugin
ansible sudo: a password is required
ansible become missing sudo password
ansible sudo example
ansible sudo su
ansible run as root
ansible remote user
ansible playbook

I have a playbook that performs some prechecks on the database as the Oracle user. The remote node is an AIX server and so I created a shell script that is ran via the playbook.

---
- hosts: db
  var_files:
    - ansible_var.yml

  tasks:
    - name: "DB Checks"
    become: True
    become_user: oracle
    script: "{ db_prechk }"

On the AIX server, I added the below entry to the sudoers file

 ansible ALL=(oracle) NOPASSWD: /tmp/ansible-tmp-*/db_prechecks.sh

But the playbook fails with the error that it's waiting for the privilege escalation prompt.

This runs fine if it is ran as root. However we do not want passwordless root between the Ansible controller and the remote nodes. So we created ansible user on the controller and remote nodes and exchanged the SSH keys.

This also runs if the sudoers entry is just

ansible ALL=(oracle) NOPASSWD: ALL

We do not want to provide full access to the oracle userid via the ansible user id too.

I ran the playbook in the verbose mode and can see that Ansible is copying the script to the remote_tmp dir and is executing it as the oracle userid. In that case the sudoers line should've allowed it to run?

If you look at the verbose mode output, you will see that the actual command differs from the one you specified in the sudoers file:

<127.0.0.1> SSH: EXEC ssh -o ForwardAgent=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2202 -o 'IdentityFile="/Users/techraf/devops/testground/debian/.vagrant/machines/debian/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=120 -o ControlPath=/Users/techraf/.ansible/cp/ansible-ssh-%h-%p-%r -tt 127.0.0.1 '/bin/sh -c '"'"'sudo -H -S -n -u oracle /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xoamupogqwtteubvedoscaghzmfascsr;  /tmp/ansible-tmp-1488508771.72-271591203197790/db_prechecks.sh '"'"'"'"'"'"'"'"' && sleep 0'"'"''

So what is executed after sudo -u oracle starts actually with /bin/sh -c.

I managed to filter a working string to:

ansible ALL=(oracle) NOPASSWD: /bin/sh -c echo BECOME-SUCCESS*; * /tmp/ansible-tmp-*/db_prechecks.sh*

But it is based on trial-and-error. I'm not sure yet why * is required between ; and /tmp/... and at the end, but otherwise it does not work.

In both places Ansible added superfluous space characters and it seems to be the reason, as adding a space to a shell command (specified in the sudoers file) does affect the ability to sudo.

You might try with ? instead of *, I will test later

Understanding privilege escalation: become, One common use is to change the user to nobody when the shell is set to no login. You can define different become options for each managed node or group. Ansible modules are executed on the remote machine by first substituting the If you have security rules that constrain your sudo/pbrun/doas environment to� The script module takes the script name followed by a list of space-delimited arguments. The local script at path will be transferred to the remote node and then executed. The given script will be processed through the shell environment on the remote node. This module does not require python on the remote system, much like the raw module.

Q: "This also runs if the sudoers entry is just ansible ALL=(oracle) NOPASSWD: ALL"

A: Quoting from Privilege escalation must be general:

"You cannot limit privilege escalation permissions to certain commands..."

How to restrict regular user to execute particular commands with , "ianyc ALL=(ALL) /bin/ls". which means user "ianyc" can only execute "ls" command with sudo privilege. However, in the ansible controller node, if my playbook is something like: Furthermore, if I want to execute some module like yum, ex:. The script module takes the script name followed by a list of space-delimited arguments. Either a free form command or cmd parameter is required, see the examples. The local script at path will be transferred to the remote node and then executed. The given script will be processed through the shell environment on the remote node.

Replying to @techraf's answer: sudo seems to truncate the extra space and you can see it with sudo -l. I was able to get around this by escaping the spaces with \ as instructed in sudo's man page:

\x For any character ‘x’, evaluates to ‘x’.

Enable passwordless sudo for ansible, We can log in to the remote server as user root using ssh keys. We can r\n", " module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", " rc": 1 ansible-playbook -i inventory.cfg --limit 192.168.56.12� Mar 29, 2020 · Here we enable remote desktop using command prompt in Windows 10. This configuration will work only on newer distributions (such as Ubuntu 18. 2. Now use Ansible to ping the remote node as shown. Ansible makes complex changes like zero-downtime rolling updates with load balancers easy.

Running commands, The basic syntax consists of ansible then the host group from hosts to run ansible-playbook playbooks/PLAYBOOK_NAME.yml --limit "host1" Skip any tag matching sudoers This is a use case for using shell and command modules . it may be neccessary to manually check Redis for gathered facts from a remote host. Ansible Command module is used to execute commands on a remote node. The Command module, is used mostly to run simple Linux commands on a remote node/server which is part of a host group or Stand alone server mentioned in the host group. If you want to run Some Simple Shell Commands on the remote server you can use this Ansible command module.

How to Use Ansible: An Ansible Cheat Sheet Guide, You'll need at least one remote server to use as node. The ping module will test if you have valid credentials for connecting to the nodes defined in your This will prompt you to provide the remote user sudo password: The following command uses Ansible's DigitalOcean inventory script with a ping� Functional use; from ansible.module_utils.common.collections import ImmutableDict: Use to add options. For example: specify remote user remote_ user=None: from ansible.parsing.dataloader import DataLoader: Data parser for reading files in JSON / ymal / ini format: from ansible.vars.manager import VariableManager

Ansible AD HOC Commands, Examples on how to use Ansible Ad hoc commands and how to use it for The Shell scripts were always fragile or not able to meet industry expectations. In this example, we are going to test the remote nodes or hosts and make Using SUDO module ( deprecated and will be removed in ansible 2.6 ) Removing System Users using Ansible . In the cloud cloud environment, user has a lifecycle, if the user is no longer required to be present in the system the user must be deleted, and this should happen proactivaley, for an example "user2" user needs to deleted, then from the change management process, users.yml files needs to edited to remove the entry of user2

Comments
  • Sometimes /tmp is mounted with noexec. Look at /etc/fstab
  • @bodo That would not explain why it worked with NOPASSWD: ALL.
  • I tried using ? and [a-z], but it's not working. I reverted back to the * and will keep checking