Ansible and "sudo su - "

Question

I'm trying to create an ansible playbook that will work in my current work environment. I login to servers as user "myuser" using ssh keys. I was never given a password, so I don't know it. Most of the commands I run are executed as a different non-root user - e.g. "appadmin". I become these users via "sudo su - appadmin", since I don't have the passwords for this user either.

Different variations I've tried either complain "sudo: a password is required" or time out after 12 seconds. I'll show this second example.

The playbook is very simple:

---
- hosts: sudo-test
  gather_facts: False
  remote_user: myuser
  become: yes
  become_user: appadmin
  tasks:
    - name: who
      shell: whoami > qwert.txt

My host entry is as follows:

[sudo-test]
appserver.example.com ansible_become_method=su ansible_become_exe="sudo su"

This is the error I get:

pablo@host=> ansible-playbook test_sudo.yml

PLAY [sudo-test] ****************************************************************************************************

TASK [who] **********************************************************************************************************
fatal: [appserver.example.com]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
        to retry, use: --limit @/home/pablo/ansible_dir/test_sudo.retry

PLAY RECAP **********************************************************************************************************
appserver.example.com : ok=0    changed=0    unreachable=0    failed=1

At this point I agree that the playbook and inventory are configured correctly. I believe the issue is that /etc/sudoers doesn't permit my "appadmin" user to run in a way that allows me to leverage ansible's ability to become another user. This thread describes a similar scenario - and limitation.

The relevant section of /etc/sudoers looks like this:

User myuser may run the following commands on this host:
    (root) NOPASSWD: /bin/su - appadmin

It seems I would have to have the sysadmin change this to:

User myuser may run the following commands on this host:
    (root) NOPASSWD: /bin/su - appadmin *

Does this sound right?

Run your Ansible command with `-vvvv` to see the exact command Ansible runs to do the sudo. This other answer might shed some light, but it's for a difference scenario: https://stackoverflow.com/a/56721207/608820. This will help to diagnose the issue. To fix it you might need to change the configuration of the server or maybe you can use a different [`become_method`](https://docs.ansible.com/ansible/latest/plugins/become.html#become-plugins) — Augusto, Nov 01 '19 at 14:28
Thank you for the suggestion. Running in verbose mode generated quite a bit of output, but I think the most relevant snippet is as follows: ```ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=pmena -o ConnectTimeout=10 -o ControlPath=/home/pablo/.ansible/cp/b70630738d -tt appserver.example.com /bin/sh -c '"'"'sudo su - ooiui -c '"'"'"'"'"'"'"'"'/bin/sh -c '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-*` — extraspecialbitter, Nov 01 '19 at 17:57
This will not work. It's a known limitation of ansible privilege escalation: [it must be general](https://docs.ansible.com/ansible/latest/user_guide/become.html#privilege-escalation-must-be-general) i.e. not limited to some commands (which is your case). — Zeitounator, Nov 04 '19 at 17:19

score 2 · Answer 1 · answered Nov 01 '19 at 15:19

i dont find any issue with yaml, infact i got it tested in my ansible2.8 environment.

---
- hosts: node1
  gather_facts: False
  remote_user: ansible
  become: yes
  become_user: testuser
  tasks:
    - name: who
      shell: whoami
      register: output

    - debug: var=output

and inventory:

[node1]
node1.example.com ansible_become_method=su ansible_become_exe="sudo su"

output:

TASK [debug] ****************************************************************************************************************************
ok: [node1.example.com] =>

I would request you to increase ssh timer (uncomment timeout line and set it to 60, whatever seconds you wish) in ansible.cfg file and observer this scenario.

# SSH timeout
#timeout = 300

Thank you for the suggestion. I uncommented the comment field and changed it to 60 seconds, but the only change in behavior was that the timeout error occurred after 62 seconds instead of 12. Digging around in Google it seems this might be a limitation in how the "appadmin" user is set up in /etc/sudoers on the "appserver" host. Right now the relevant entry is "(root) NOPASSWD: /bin/su - appadmin", which could be problematic. Unfortunately it's another team controlling sudo access, so if that's the case I could be out of luck. — extraspecialbitter, Nov 01 '19 at 15:59

score 0 · Answer 2 · answered Feb 05 '21 at 15:08

0

Try this one:

- hosts: application
  become: yes
  become_exe: "sudo su - appadmin"
  become_method: su
  tasks:

answered Feb 05 '21 at 15:08

Wernfried Domscheit

54,457
9
76
110

Ansible and "sudo su - "

2 Answers2