Another sudo issue

Hi All,

Just getting started with Ansible and I’m having issues with some of the sudo stuff.

I have a user deployer, who has limited permissions on the server. Neither deployer nor root have a password set, I’m using ssh keys for deployer.

I am trying to give deployer permission to stop/start services on the server, and have tried to give them access in sudoers:

`
deployer ALL=(root) NOPASSWD: /usr/sbin/service

`

In my playbook I have a task:

`
tasks:

• name: Stop Nginx
  sudo: yes
  service:
  name: nginx
  state: stopped

`

From what I can see, the “sudo: yes” causes the script to be wrapped in an Ansible sudo call, which uses /bin/sh to run the generated script. As the user doesn’t have permission to run /bin/sh as root the result is the play locking up waiting for a password to be entered.

`
ESTABLISH CONNECTION FOR USER: deployer
REMOTE_MODULE service name=nginx state=stopped
EXEC [‘ssh’, ‘-C’, ‘-tt’, ‘-vvv’, ‘-o’, ‘ControlMaster=auto’, ‘-o’, ‘ControlPersist=60s’, ‘-o’, ‘ControlPath=/home/cameron/.ansible/cp/ansible-ssh-%h-%p-%r’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘User=deployer’, ‘-o’, ‘ConnectTimeout=10’, ‘server’, “/bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1402872399.78-47692345481072 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1402872399.78-47692345481072 && echo $HOME/.ansible/tmp/ansible-tmp-1402872399.78-47692345481072’”]
PUT /tmp/tmpzh6oFh TO /home/deployer/.ansible/tmp/ansible-tmp-1402872399.78-47692345481072/service
EXEC [‘ssh’, ‘-C’, ‘-tt’, ‘-vvv’, ‘-o’, ‘ControlMaster=auto’, ‘-o’, ‘ControlPersist=60s’, ‘-o’, ‘ControlPath=/home/cameron/.ansible/cp/ansible-ssh-%h-%p-%r’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘User=deployer’, ‘-o’, ‘ConnectTimeout=10’, ‘server’, u’/bin/sh -c 'sudo -k && sudo -H -S -p “[sudo via ansible, key=xqpamkcjagkzzsxuwdwnijqkrpitvqyy] password: " -u root /bin/sh -c '”'“'echo SUDO-SUCCESS-xqpamkcjagkzzsxuwdwnijqkrpitvqyy; LC_CTYPE=C LANG=C /usr/bin/python /home/deployer/.ansible/tmp/ansible-tmp-1402872399.78-47692345481072/service'”'"''']

`

I could set the user to have permission to run /bin/sh, but that seems incorrect (may as well set it to ALL, which btw does work as I desire).

Is this something that I can resolve either in sudoers, or in the Ansible script?

Any help would be appreciated.

Cheers, Cameron

Do I infer correctly that you have your sudo environment locked down so users can only run specific commands? If so, that won’t be compatible.

Yes that’s correct, or at least that was the intention.

I was hoping to be able to restrict sudo to just be able to run eg. sudo service nginx restart, but by using /bin/sh to wrap the call it breaks that intention.

So I take it that there is no way to use ansible to call a command via sudo without ansible using /bin/sh? (ignoring that I could use shell: sudo service nginx restart).

if there is no way of doing this, maybe the docs should be updated to reflect this?

Cheers, Cameron

Ansible can pick an executable but you can not arbitrary confine sudo since it runs lots of ansible modules not simple shell commands.

I believe the docs already discuss it to the proper depth.