no, the issue is that ansible does not support fine grained sudo
permissions, it executes a python file which might execute the
commands you see, but the sudo wraps the entire thing, not just the
command.
So that’s a security bug then.
The point of sudo is to enable fine-grained control rather than just granting root access to everything.
Ansible needs to be upgraded to only SUDO the expected commands rather than an entire script that does other things that are not visible.
This is the same as https://github.com/ansible/ansible/issues/13077
So I guess you get this question a lot.
The purpose of sudo is to allow for privilege escalation, the fine
grained escalation is a feature.
The way ansible works currently requires arbitrary commands specs,
this is not a bug, but it is a limitation. This won't work for all
environments, specifically those that only allow specific commands.
This is a feature we want to add, but it won't work with all modules,
it would only work with modules that shell out to run commands.
For example, if a module changes ownership of a file using the
python/perl/ruby function to do so, it would not work with
`/bin/chmod` permissions in sudoers as they will be making a system
call and not running a command.
Hi
Is there any progress on this feature? is it available in the latest version of ansible? More specifically on the service module (for example to allow reloading of specific services)
Thanks
As you don't quote what you are talking about I can only assume the
title is what you are after.
No, ansible needs to run something like "sudo -H -S -n -u root
/bin/bash" to work. You might set that to NOPASSWD, but it just means
you allow the ansible user everything.
Johannes
Sorry I started a discussion on this before seeing this one : https://groups.google.com/d/msg/ansible-project/TZoUZUPO5no/6ZOxMmF3BQAJ
Yes I mean to restrict (with sudoes configuration or something else) on the OS side, the command the user can execute but still allow ansible to execute.
We are using ansible for code deployment and there is a single task which needs become privilege : nginx reload.
So except the NOPASSWD settings, is there any other solution ? If not it seems to me it is a big drawback on Ansible to be used as code shipping tools.