Look into this document: ansible privileges escalation
In this doc it has mentioned:
--become-method=BECOME_METHOD
privilege escalation method to use (default=sudo), valid choices: [ sudo | su | pbrun | pfexec | doas | dzdo | ksu | runas | machinectl ]
What is the difference between 'sudo' and 'su'? What is really happening underneath?
Take run_command on remote_host for example?
become_method approach is sudo run_command on the remote_host. Is it true? But I think sudo is not a become to some user method, su is.
What are they and what is the difference?
The sudo method uses the sudo command, and the su method uses the su command. Both commands can be used to run commands as another user; compare:
sudo -u someuser echo hello world
With:
su someuser -c 'echo hello world'
They have slightly different semantics. The sudo command is controlled by your /etc/sudoers file and can be configured to permit privilege escalation without a password. Using su you will always need to provide a password using --ask-become-pass on the command line, or by setting the ansible_become_pass variable.
Related
In our organization, we have strict policies on our Linux users. We, in our case have a user that can execute sudo su - myuser without a password. But as soon as we add -c behind the su command that is not allowed.
The problem is Ansible adds the -c when executing the "become" command in order to set the environment variables.
My becomes variables:
become: yes
become_user: myuser
become_method: sudo
become_flags: 'su - '
Ansible executes the following:
sudo su - myuser -c '"'"'"'"'"'"'"'"'/bin/sh -c '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-lksjasdhksldjfhsdklhfshsklhkljsh; /usr/bin/python /tmp/ansible-tmp-1602838989.23-135651442029159/setup.py
And this error is caused:
fatal: [xbi407cl03vm01.dbaas.ing.net]: FAILED! => {
"msg": "Timeout (32s) waiting for privilege escalation prompt: "
}
This causes a timeout because the -c is not allowed.
Is there a way to force Ansible to only run the command after the become command was successful?
Or is there an alternative way of changing user for a playbook?
When I use ssh to run command on a remote machine, I will get the output from shell. However, if I add
sudo su - user2
I will get no output. Now, I cannot do
ssh user2#host
Because of some permission issue.
Is there any way to get the output for the following command?
ssh user1#host 'sudo su - user2; wc -l tmp.txt'
Thanks to #laenkeio. Using sudo -u user2 can run some simple programs.
However, when I need to call a python script which needs some enviroment variable for user2, the script was not able to find those default path by using sudo -u user2.
If you have the appropriate sudo rights on host you should be able to do it with:
ssh -t user1#host 'sudo -u user2 wc -l tmp.txt'
Using sudo -u means "execute as user2", thus avoiding the extra su -. And -t forces ssh to allocate a tty so that sudo can ask for your password.
If you cannot do ssh user2#host for some permission issue, you'll not be able to run ssh user1#host 'sudo su - user2; ... for the same reason...
And, even with no permission issue, when doing su - user you'll be requested for a password...
I want to make ssh connection automatically and install a packet to the connected machine. I'm able to process the SSH connection automatically. I can even run commands that do not require sudo authorization. But I didn't find a way to automatically enter the password in the commands that require sudo authorization. How do you think I can automatically enter the sudo password?
asd.sh
/usr/bin/expect -c 'spawn ssh -t usr#ip bash "pwd; sudo apt-get update"; expect "password:"; send "12345\r"; interact;'
asd.sh output
spawn ssh -t usr#ip bash pwd; sudo apt-get update
usr#ip's password:
/bin/pwd: /bin/pwd: cannot execute binary file
[sudo] password for usr:
You need the -c argument to pass a command string to Bash. Also, try to have the pattern match the full line. Try with:
/usr/bin/expect -c 'spawn ssh -t usr#ip bash -c "pwd; sudo apt-get update"; expect "*password:"; send "12345\r"; interact;'
^^ ^
Note that for this kind of task, Ansible can be very helpful as it will take care of all the boilerplate related to SSH and SUDO, and offers high-level modules to carry on any task easily.
The Ansible script ('playbook') would look like this (untested):
- hosts: ip
tasks:
- name: Update and upgrade apt packages
become: true
apt:
upgrade: yes
You can store the SUDO password in a file, and that file can be encrypted.
I have an ssh access to the box but to run certain commands I need to do sudo su - and enter the password. Then I can run all the commands under that user.
How can i achieve this ansible. I tried become and sudo nothing worked for me.
Can someone provide me a working example?
this is what working for me ...
become: yes
become_method: sudo
become_user: myuser
become_flags: 'su -c'
Ansible uses the become directive to control privilege escalation.
If you're using sudo su -, you're using sudo to raise your privileges (and su - merely launches an interactive shell). become_method should be set to "sudo".
Since you aren't using password-less sudo, you need to tell Ansible that you will be supplying a password. You can do this in a config file with ansible_become_pass, but a much more secure method is to invoke ansible with --ask-become-pass.
I used the following command in my script
sudo su - user -c bash <<EOF
cp /home/test.txt /opt/
EOF
If I use the sudo su - user on terminal, Unix don't ask me the Password but if I try to run the script the terminal ask me the Password and if I delete the EOF part the rest of code run when I quit the session.
I want to run the command in user mode sudo but the terminal don't Need ask me the Password.
If I use
sudo su - user <<EOF
code
EOF
I have an error in .bash_profile: too many argument
I want to run the command in user mode sudo but the terminal don't
Need ask me the Password.
The scenario you are experiencing is caused by the users cached credentials for sudo, which allow sudo to maintain a session and any further sudo command will not prompt for passwords.
Check this:
Open a new terminal and run sudo whatever, then close it and open another new terminal and run sudo whatever, you will see that sudo asks for password every time...
If you still need to do that, then you have the following options:
Prevent sudo to ask for password permanently:
run sudo visudo and look for the line root ALL=(ALL) ALL, then add a line
username ALL=(ALL) NOPASSWD: ALL
then save and exit.
Note: This is a security risk
Or Prevent sudo to ask for password permanently only for specific script:
run sudo visudo and look for the line root ALL=(ALL) ALL, then add a line
username ALL=NOPASSWD: path_to_the_script
then save and exit
Provide password inside the script, by running your sudo command like this:
sudo -S <<< "password" command
Note: This is a security risk too.
I guess you need to execute your command as a different user. This might be your answer: Run a shell script as another user that has no password
sudo -H -u otheruser bash -c 'echo "I am $USER, with uid $UID"'
It is a quote from the link. Probably the following is better for you:
sudo -H -u otheruser bash <<EOF
cp /home/test.txt /opt/
EOF
UPDATE: You may wish to create a specific sudo rule to run a specific command without password (inside /etc/sudoers file -remember to use visudo to edit it-):
otheruser ALL=NOPASSWD: /full/path/to/your_command.sh
(of course you need root access to edit sudoers, I hope you can do it).
And create the script called your_command.sh that contains your logic. You'll then be allowed to run it without password:
sudo -H -u otheruser your_command.sh
I know, it's not a "single line command" but it is safe as it allows only one specific command without password. And it doesn't require a password, of course!
Then don't use sudo, then it won't ask for password, but you will to be have logged in as root!