Ansible privilege escalation with limited sudo

Question

In my company we have limited root access, on this way on the sudoers.d :

user hostname =(root) PASSWD: /bin/su

I am trying to make ansible impersonate:

all:
  vars:
    ansible_connection: ssh
    ansible_become: true
    ansible_become_pass: 'password'
    become_flags: '/bin/su - root /bin/bash -c'

worker:
  hosts:
    hostname

But, every proof I have made, ends with this error:

hostname | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "module_stderr": "Shared connection to hostname closed.\r\n",
    "module_stdout": "\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

I have read about the privilege escalations and limited sudo: ansible privilege escalation

but, on the host we are able to launch any sudo command on this way:

 sudo su -s /bin/sh -c "ls"

Is there any way to make ansible use this method or is it impossible?

thank you

Answer 1

It is possible, but not recommended because it requires root's password:

all:
  vars:
    ansible_connection: ssh
    ansible_become: true
    ansible_become_pass: 'root password'
    ansible_become_method: su
    become_flags: '-s /bin/bash'

In the client's file /etc/sudoers.d/ansible file is:

ansible hostname =(root) PASSWD: /bin/su

Running the following commands to show escalation works:

$ ansible -m shell -a "whoami" Client1 
Client1 | CHANGED | rc=0 >>
root

$ ansible -m shell -a "who am i" Client1 
Client1 | CHANGED | rc=0 >>
ansible  pts/0        2020-12-28 19:06 (192.168.122.36)