Reputation: 35
Ansible and "sudo su - "
I'm trying to create an ansible playbook that will work in my current work environment. I login to servers as user "myuser" using ssh keys. I was never given a password, so I don't know it. Most of the commands I run are executed as a different non-root user - e.g. "appadmin". I become these users via "sudo su - appadmin", since I don't have the passwords for this user either.
Different variations I've tried either complain "sudo: a password is required" or time out after 12 seconds. I'll show this second example.
The playbook is very simple:
---
- hosts: sudo-test
gather_facts: False
remote_user: myuser
become: yes
become_user: appadmin
tasks:
- name: who
shell: whoami > qwert.txt
My host entry is as follows:
[sudo-test]
appserver.example.com ansible_become_method=su ansible_become_exe="sudo su"
This is the error I get:
pablo@host=> ansible-playbook test_sudo.yml
PLAY [sudo-test] ****************************************************************************************************
TASK [who] **********************************************************************************************************
fatal: [appserver.example.com]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
to retry, use: --limit @/home/pablo/ansible_dir/test_sudo.retry
PLAY RECAP **********************************************************************************************************
appserver.example.com : ok=0 changed=0 unreachable=0 failed=1
At this point I agree that the playbook and inventory are configured correctly. I believe the issue is that /etc/sudoers doesn't permit my "appadmin" user to run in a way that allows me to leverage ansible's ability to become another user. This thread describes a similar scenario - and limitation.
The relevant section of /etc/sudoers looks like this:
User myuser may run the following commands on this host:
(root) NOPASSWD: /bin/su - appadmin
It seems I would have to have the sysadmin change this to:
User myuser may run the following commands on this host:
(root) NOPASSWD: /bin/su - appadmin *
Does this sound right?
Upvotes: 2
Views: 5510
Answers (2)
Reputation: 59436
Try this one:
- hosts: application
become: yes
become_exe: "sudo su - appadmin"
become_method: su
tasks:
Upvotes: 0
Reputation: 166
i dont find any issue with yaml, infact i got it tested in my ansible2.8 environment.
---
- hosts: node1
gather_facts: False
remote_user: ansible
become: yes
become_user: testuser
tasks:
- name: who
shell: whoami
register: output
- debug: var=output
and inventory:
[node1]
node1.example.com ansible_become_method=su ansible_become_exe="sudo su"
output:
TASK [debug] ****************************************************************************************************************************
ok: [node1.example.com] =>
I would request you to increase ssh timer (uncomment timeout line and set it to 60, whatever seconds you wish) in ansible.cfg file and observer this scenario.
# SSH timeout
#timeout = 300
Upvotes: 2
Related Questions
- Ansible sudo su - user privilege escalation issue
- Switch to root ( using "sudo su -" ) before executing a command via Ansible
- Ansible with "sudo su - "
- Ansible privilege escalation with limited sudo
- Ansible: how can I use "sudo su -c <COMMAND> <USER>" to execute a command as another user?
- How to achieve sudo su - <user> and run all command in ansible
- Can Ansible use "sudo su -" if the sudo user is not allowed to run arbitrary scripts?
- Using Ansible to run sudo /bin/su - username
- Unable to execute "sudo su -" in Ansible
- Using Ansible with sudo su