sudo twice become method for Ansible

Question

I have to deal with a setup in "/etc/sudoers" that I can't change because the servers in question are managed by a different team and they don't want to change it.

I have root access only by sudoing to another account first. My account is only allowed to run the specific command "sudo su - admin" (no additional arguments can be appended). Then, as user "admin", I can run any root commands normally with sudo (e.g., "sudo vi /etc/shadow", etc.) or open a root shell with "sudo -s" or "sudo su -", etc.

I want to run Ansible ad-hoc commands and playbooks as root (e.g., "become: yes") on these servers from a different server that I control, but it would require that Ansible first run "sudo su - admin", then run the normal "sudo" command.

I know you can create custom become methods. This seems to me the way to solve this problem, but the specific solution is beyond me. Can anyone help with this?

BTW, if it helps, "NOPASSWD:" is set for both my account and "admin" in "/etc/sudoers".

Answer 1

It's hard to manage systems this way/automate things. I don't really have a straight answer for you but it might be a starting point and give you some ideas.

Assuming the following on the remote server:

[root@node3 ~]# grep "gheo\|admin" /etc/sudoers
Defaults:admin !requiretty
Defaults:gheo !requiretty
gheo ALL=(ALL) NOPASSWD:/bin/su - admin
admin ALL=(ALL)       NOPASSWD: ALL

Play:

---
- name: something
  hosts: node3
  vars:
    maybe: "sudo su - admin <<EOF\nsudo su -"
  tasks:

    - name: check something
      shell: "{{ maybe }}; sudo tail -1 /etc/shadow"
      register: aa

    - debug:
        var: aa.stdout_lines

Output:

PLAY [something] *******************************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************************
ok: [node3]

TASK [check something] *************************************************************************************************************************************************************************
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

changed: [node3]

TASK [debug] ***********************************************************************************************************************************************************************************
ok: [node3] => {
    "aa.stdout_lines": [
        "Last login: Sat Aug  8 01:05:16 CEST 2020",
        "admin:!!:18481:1:90:7:::",
        "Last login: Sat Aug  8 01:05:16 CEST 2020"
    ]
}

PLAY RECAP *************************************************************************************************************************************************************************************
node3                      : ok=3    changed=1    unreachable=0    failed=0

Unfortunately I don't see this working for anything other that shell module, or maybe command, I didn't try that one.

Another option, although I don't know how practical, would be to use ansible to run a script on remote server.

[gheo@node3 ~]$ cat /home/gheo/bla.sh
#!/bin/sh
sudo su - admin <<EOF
sudo su -
tail -1 /etc/shadow
EOF

[gheo@mgt1 ~]$ ansible node3 -a "/home/gheo/bla.sh"
node3 | CHANGED | rc=0 >>
admin:!!:18481:1:90:7:::
Last login: Sat Aug  8 01:03:28 CEST 2020
Last login: Sat Aug  8 01:04:24 CEST 2020 on pts/2

You did not mention but I assumed you cannot log in directly as "admin" user, it would be easier if you could.