Ansible sudo with restrictive permission's

Question

We have a use case where the ssh user test2 is given permission to run a particular script that is owned by another user test3. Below are the permissions provided in the /etc/sudoers file.

test2 ALL=(test3) NOPASSWD: /home/test3/start.sh

This works well when we run ssh test2@target_host sudo -u test3 /home/test3/start.sh

We wanted to execute the ssh task through ansible become method:sudo and become_user and that never works. what we found is that ansible modifies the instruction's as below during the actual execution and that never matches the permission's on the sudoer's file.

sudo -H -S -n  -u test3 /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-knavgwllrftljavwujkveyjcctlgkbda ; /usr/bin/python /var/tmp/ansible-tmp-1582478029.04-74694013835195/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''

it looks like our only option is to update the permission's as below but that sort of gives full shell permission's on the test3 user which will never satisfy our security requirement's

test2 ALL=(test3) NOPASSWD: /bin/sh

Has someone faced a similar situation like this before? for a controlled execution. Please note test2 and test3 are non sudo user's.

Answer 1

Since you only need test2 user to execute that one file owned by test3, how about just giving test2 permission to read and execute that file (and the directory it's in):

setfacl -m u:test2:rx /home/test3
setfacl -m u:test2:rx /home/test3/start.sh

Then, you don't need the become stuff at all.