Ansible [Errno 13] Permission denied

Hello All,

Can I please get some help on this issue I have been trying to figure out for hours now. When I run the below command:

I am trying to run the below command from my:

Mac and connect to an amazon linux 2 server
Mac has ansible 2.8.2
Mac has Python 2.7.10
Server has Python 2.6.9
My setup is such where I use private keys, but still need to enter a password(its security precaution at work)

`
ansible all -i inventory --private-key=“/Users/p/andrewm.pem” -u andrewm -b -k -K -m command -a “/usr/sbin/useradd -s /bin/bash -m test”

SSH password:
BECOME password[defaults to SSH password]:
dev_jenkins | FAILED! => {
“ansible_facts”: {
“discovered_interpreter_python”: “/usr/bin/python”
},
“changed”: false,
“module_stderr”: “Shared connection to 54.x.183.46 closed.\r\n”,
“module_stdout”: “\r\n”,
“msg”: “MODULE FAILURE\nSee stdout/stderr for the exact error”,
“rc”: 1
}
`

I am able to ping successfully

ansible all -i inventory -m ping --private-key="/Users/confluencetrades/Desktop/andrewm.pem" -u andrewm --ask-become-pass -k SSH password: BECOME password[defaults to SSH password]: dev_jenkins | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" }

More verbose output

`

ansible all -vvv -i inventory -m command -a “/usr/sbin/useradd -s /bin/bash -m test” --private-key=“/Users/confluencetrades/Desktop/andrewm.pem” -u andrewm --ask-become-pass -k
ansible 2.8.2
config file = /WALLETHUB/ansible/ansible.cfg
configured module search path = [u’/var/root/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /Library/Python/2.7/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 2.7.10 (default, Feb 22 2019, 21:55:15) [GCC 4.2.1 Compatible Apple LLVM 10.0.1 (clang-1001.0.37.14)]
Using /WALLETHUB/ansible/ansible.cfg as config file
SSH password:
BECOME password[defaults to SSH password]:
host_list declined parsing /WALLETHUB/ansible/inventory as it did not pass it’s verify_file() method
script declined parsing /WALLETHUB/ansible/inventory as it did not pass it’s verify_file() method
auto declined parsing /WALLETHUB/ansible/inventory as it did not pass it’s verify_file() method
Parsed /WALLETHUB/ansible/inventory inventory source with ini plugin
META: ran handlers
<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o ‘IdentityFile=“/Users/confluencetrades/Desktop/andrewm.pem”’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.x.183.46 ‘/bin/sh -c ‘"’“‘echo ~andrewm && sleep 0’”’“‘’
<54.2x.183.46> (0, ‘/home/andrewm\n’, ‘’)
<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile=”/Users/confluencetrades/Desktop/andrewm.pem"’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.x.183.46 ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397” && echo ansible-tmp-1564955687.71-187487933428397=“echo /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397” ) && sleep 0’“'”‘’
<54.x.183.46> (0, ‘ansible-tmp-1564955687.71-187487933428397=/home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397\n’, ‘’)
<dev_jenkins> Attempting python interpreter discovery
<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
<54.2x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o ‘IdentityFile=“/Users/confluencetrades/Desktop/andrewm.pem”’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.2x.183.46 ‘/bin/sh -c ‘"’“'echo PLATFORM; uname; echo FOUND; command -v '”’“'”‘"’“'”‘"’“‘/usr/bin/python’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘python3.7’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘python3.6’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘python3.5’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘python2.7’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘python2.6’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘/usr/libexec/platform-python’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘/usr/bin/python3’”‘"’“'”‘"’“'”‘"’; command -v ‘"’“'”‘"’“'”‘"’“‘python’”‘"’“'”‘"’“'”‘"’; echo ENDFOUND && sleep 0’“'”‘’
<54.2x.183.46> (0, ‘PLATFORM\nLinux\nFOUND\n/usr/bin/python\n/usr/bin/python3.6\n/usr/bin/python2.7\n/usr/bin/python2.6\n/usr/bin/python3\n/usr/bin/python\nENDFOUND\n’, ‘’)
<54.x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o ‘IdentityFile=“/Users/confluencetrades/Desktop/andrewm.pem”’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.x.183.46 ‘/bin/sh -c ‘"’"’/usr/bin/python && sleep 0’“'”‘’
<54.2x.183.46> (0, ‘{“osrelease_content”: “NAME=\“Amazon Linux AMI\”\nVERSION=\“2018.03\”\nID=\“amzn\”\nID_LIKE=\“rhel fedora\”\nVERSION_ID=\“2018.03\”\nPRETTY_NAME=\“Amazon Linux AMI 2018.03\”\nANSI_COLOR=\“0;33\”\nCPE_NAME=\“cpe:/o:amazon:linux:2018.03:ga\”\nHOME_URL=\“http://aws.amazon.com/amazon-linux-ami/\\“\\n”, “platform_dist_result”: [””, “”, “”]}\n’, ‘’)
<dev_jenkins> Python interpreter discovery fallback (unsupported Linux distribution: amzn)
Using module file /Library/Python/2.7/site-packages/ansible/modules/commands/command.py
<54.2x.183.46> PUT /var/root/.ansible/tmp/ansible-local-42993v4FGWo/tmp3ToKAg TO /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py
<54.2x.183.46> SSH: EXEC sshpass -d43 sftp -o BatchMode=no -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o ‘IdentityFile=“/Users/confluencetrades/Desktop/andrewm.pem”’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d ‘[54.2x.183.46]’
<54.2x.183.46> (0, ‘sftp> put /var/root/.ansible/tmp/ansible-local-42993v4FGWo/tmp3ToKAg /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py\n’, ‘’)
<54.2x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
<54.2xx.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o ‘IdentityFile=“/Users/confluencetrades/Desktop/andrewm.pem”’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.2x.183.46 ‘/bin/sh -c ‘"’“‘chmod u+x /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/ /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py && sleep 0’”’“‘’
<54.x.183.46> (0, ‘’, ‘’)
<54.2x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
<54.x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile=”/Users/confluencetrades/Desktop/andrewm.pem"’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d -tt 54.2x.183.46 ‘/bin/sh -c ‘"’"’/usr/bin/python /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/AnsiballZ_command.py && sleep 0’“'”‘’
<54.x.183.46> (1, ‘\r\n{“exception”: “WARNING: The below traceback may not be related to the actual failure.\n File \”/tmp/ansible_command_payload_xIvWEp/ansible_command_payload.zip/ansible/module_utils/basic.py\“, line 2561, in run_command\n cmd = subprocess.Popen(args, **kwargs)\n File \”/usr/lib64/python2.6/subprocess.py\“, line 642, in init\n errread, errwrite)\n File \”/usr/lib64/python2.6/subprocess.py\“, line 1238, in _execute_child\n raise child_exception\n”, “cmd”: “/usr/sbin/useradd -s /bin/bash -m test”, “failed”: true, “rc”: 13, “invocation”: {“module_args”: {“creates”: null, “executable”: null, “_uses_shell”: false, “strip_empty_ends”: true, “_raw_params”: “/usr/sbin/useradd -s /bin/bash -m test”, “removes”: null, “argv”: null, “warn”: true, “chdir”: null, “stdin_add_newline”: true, “stdin”: null}}, “msg”: “[Errno 13] Permission denied”}\r\n’, ‘Shared connection to 54.x.183.46 closed.\r\n’)
<54.x.183.46> Failed to connect to the host via ssh: Shared connection to 54.x.183.46 closed.
<54.2x.183.46> ESTABLISH SSH CONNECTION FOR USER: andrewm
<54.2x.183.46> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o ‘IdentityFile=“/Users/confluencetrades/Desktop/andrewm.pem”’ -o ‘User=“andrewm”’ -o ConnectTimeout=10 -o ControlPath=/private/var/root/.ansible/cp/a3358dc28d 54.X.183.46 ‘/bin/sh -c ‘"’“‘rm -f -r /home/andrewm/.ansible/tmp/ansible-tmp-1564955687.71-187487933428397/ > /dev/null 2>&1 && sleep 0’”’"‘’
<54.x.183.46> (0, ‘’, ‘’)
The full traceback is:
WARNING: The below traceback may not be related to the actual failure.
File “/tmp/ansible_command_payload_xIvWEp/ansible_command_payload.zip/ansible/module_utils/basic.py”, line 2561, in run_command
cmd = subprocess.Popen(args, **kwargs)
File “/usr/lib64/python2.6/subprocess.py”, line 642, in init
errread, errwrite)
File “/usr/lib64/python2.6/subprocess.py”, line 1238, in _execute_child
raise child_exception

dev_jenkins | FAILED | rc=13 >>
[Errno 13] Permission denied

`

You are not really adding "—-become” here, even though you are supplying the become password. I am not sure that supplying the become password automatically enables "become”.

- Sandip

I tried --become, but it doesnt work either

`

ansible all -i inventory --private-key=“/Users/confluencetrades/Desktop/andre.pem” -u andrewm -k --become --ask-become-pass -m command -a “/usr/sbin/useradd -s /bin/bash -m test”
SSH password:
BECOME password[defaults to SSH password]:
dev_jenkins | FAILED! => {
“ansible_facts”: {
“discovered_interpreter_python”: “/usr/bin/python”
},
“changed”: false,
“module_stderr”: “Shared connection to 54.xx.183.46 closed.\r\n”,
“module_stdout”: “\r\n”,
“msg”: “MODULE FAILURE\nSee stdout/stderr for the exact error”,
“rc”: 1
}

`

Thank you, but I also tried that, but no luck

> ansible all -i inventory --private-key="/Users/confluencetrades/Desktop/andrewm.pem" -u andrewm -k --become --ask-become-pass -m command -a "/usr/sbin/useradd -s /bin/bash -m test"
> SSH password:

Can you run with --debug and see the output? It shows the exact command executed remotely.

- Sandip

[ Yeah, it should have been -vvv and not --debug. I am missing up apps. My apologies. ]

Ahh, you are right, I am getting the error:

Sorry, user andrewm is not allowed to execute '/bin/sh -c echo hello from bash; python -c 'print "hello"' ' as root on ip-10-0-0-162

but in ansible I am becoming root! Now when I become the root user I am able to :
# sudo /bin/sh -c "echo hello from bash; python -c 'print \"hello\"' "

hello from bash
hello

How can I fix this issue?

You need to change your sudo config to allow executing /bin/sh. This has always been an Ansible requirement - to be able to use privilege escalation, you need to let sudo run arbitrary commands.

The relevant config to fix should be somewhere in /etc/sudoers or some file in /etc/sudoers.d. The specific config varies from installation to installation, and changing it has security implications. So if you have a different person handling system level setup (you mentioned in your first mail that there are certain security requirements at work) you should definitely work with them to change this, else you can leave your system vulnerable in an unexpected way. Else if you can do this yourself, look up "man sudoers" to understand the current config and change it.

- Sandip

Thanks! great info, it worked.

Issue was with my sudo permissions file. Thanks to Sandip , he was a great help.