Ansible with “sudo su - ”

0
votes

(There are already a few questions about this, but no solution worked for me)

On the servers I work on, we have to "sudo su - webapps" and then run our commands as webapps. Ansible does not provide a native way to do this I believe (sudo only is available but the sysadmins restricted the list of commands I can run it with, su is available with Ansible but does not work on its own on the servers).

I've tried https://www.coveros.com/ansible-privledge-escalation-using-sudo-su/

[privilege_escalation]
become_exe=sudo su -

With playbook :

---
- hosts:
    - test
  become: yes
  become_user: webapps
  become_method: su
  tasks:
  - name: Updates file
    copy:
      src: a.txt
      dest: dest/a.txt

Running it gives :

SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="myUser"' -o ConnectTimeout=10 -o ControlPath=/Users/lmoreau/.ansible/cp/d895b40f7e -tt myServer '/bin/sh -c '"'"'sudo su - webapps -c '"'"'"'"'"'"'"'"'/bin/sh -c '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-nxilvumwmfikgyuisutwiwobidrgqpao ; /usr/bin/python /var/tmp/ansible-tmp-1583355901.6967812-200466745901442/AnsiballZ_setup.py'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"''"'"'"'"'"'"'"'"' && sleep 0'"'"''

...

"msg": "Timeout (12s) waiting for privilege escalation prompt: \r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\n"

Alternative attempt with :

[privilege_escalation]
become_exe=’sudo su - ‘

"module_stdout": "/bin/sh: ’sudo: command not found\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",

Without overriding the become_exe:

  • "su" method gives "Timeout (12s) waiting for privilege escalation prompt: "

  • "sudo" method gives "msg": "Missing sudo password"

Note : I do not have the password of the account I want to become, and am not supposed to have any.

How can I do the same as what I do by hand with Ansible ?

1
ansible
This is becoming a FAQ: ansible does not tolerate restricted become commands, but you're welcome to try some of the competing become plugins and see if they fit your security requirements any bettermdaniel

1 Answers

0
votes

Use this:

- hosts: application
  become: yes
  become_exe: "sudo su - webapps"
  become_method: su
  tasks: