0

I'm using ansible with vagrant and ansible is trying to sudo as postgres user to run some postgres commands.

Ansible running as vagrant user seems to run something like sudo -u postgres psql

This fails with error message Missing sudo password

I ssh onto the vm using the same vagrant user and try sudo -u postgres psql and sure enought it prompts for a password. Interestingly though, sudo su postgres switches to the postgres user without password.

Why would sudo -u require password when sudo su doesn't?

There is an entry in /etc/sudoers.d/ called vagrant that has the following contents:

%vagrant ALL=NOPASSWD:ALL
Max
  • 167
  • 2
  • 5
  • 2
    I downvoted this because it shows no research. It basically amounts to will someone read the documentation for me. – user9517 Oct 21 '14 at 13:06
  • 2
    Whilst I don't think your complaint is completely unfounded, I think you could be overestimating my ability to understand the research (which I had done). These are very new concepts and nuances in why it would work for sudo su and not sudo -u are not easy for a newbie like me to understand. @XavierLucas understood and explained this nuance very succinctly. – Max Oct 21 '14 at 13:10
  • 2
    question seems fair enough to me, if everyone was an expert then why have this site? its a tricky area and the syntax of the config file has gotchas – leonigmig Oct 21 '14 at 13:39
  • Not every expert will have expertise in *all* fields of system administration. But you are expected to be professional at some aspects of sysadmin, and done your homework in areas where you're having problems, before posting here; as [the rubric](http://serverfault.com/help/on-topic) says, "*Server Fault is a site for system and network administrators needing expert answers*" – MadHatter Oct 23 '14 at 11:27

1 Answers1

4

Because you try to impersonate user postgres while your sudoers file let you impersonate user root from system group vagrant. When you use sudo su you also impersonate root.

Add this : %vagrant ALL = (postgres) NOPASSWD: ALL

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
  • Is there a way to allow the vagrant user to impersonate any user rather than add a line per user you want to impersonate? – Max Oct 21 '14 at 13:00
  • @Max http://www.gratisoft.us/sudo/sudoers.man.html – user9517 Oct 21 '14 at 13:02
  • 1
    @Max Yes, replace (postgres) by (ALL). But it's a huge security breach, be careful with that. And be careful it's a group here, not user. So any user part of the vagrant group will have same privelges. Remove `%` if you want only the user vagrant to have these rights. – Xavier Lucas Oct 21 '14 at 13:02
  • @XavierLucas, at the moment it can sudo as root which would be the greatest security concern right? Is allowing it to sudo to any user any worse? Going slightly off topic now.. – Max Oct 21 '14 at 21:12