Ansible - Strange Error - Executing Linux Playbooks - Command Not Allowed

don.salves · October 4, 2024, 6:39pm

Hi All - I have a simple playbook below which is executed in AWX to connect to Linux Machines. This playbook fails with a very strange issue when execution. I get “Command not allowed” error.

  ``` - name: Unmount File System Scenario 1
    hosts: "{{ hosts }}"
    gather_facts: yes
  
      
    vars_prompt:
      - name: "mount_path"
        prompt: "Enter the mount path"
        private: no
    
    tasks:
      - name: Extract Mount Point
        shell: df -Th | grep "{{ mount_path }}" | awk '{print $7}'
        register: var_output

The method that ansible uses to connect to the machine is not via SSH keys, rather it’s configured to use an user - autouser . autouser is an AD user, and is configured in Centrify to use a restricted shell. So it doesn’t get full root access , rather only a limited set of commands.

This is the bash information for the autouser

   ``` autouser:x:123456:987654:AUTOUSER:/home/autouser:/usr/bin/dzsh

When we execute this playbook, we get errors stating that command not found for internal ansible commands.

See below excerpts from Ansible debug logs.

```  TASK [Gathering Facts] *********************************************************
     task path: /runner/project/ansible/xyz.yaml:2
     <servername1234.xyz.com> ESTABLISH SSH CONNECTION FOR USER: autouser
     <servername1234.xyz.com> SSH: EXEC sshpass -d10 ssh -vvv -C -o ControlMaster=auto -o 
     ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="autouser"' -o 
     ConnectTimeout=10 -o 'ControlPath="/runner/cp/f1d16e4965"' servername1234.xyz.com 
     '/bin/sh -c '"'"'echo ~autouser && sleep 0'"'"''

And we get this error:
rcvd ext data 66\\r\\n/bin/sh -c echo ~autouser && sleep 0 : command not allowed
Similarly here is another snippet of another internal command being run and facing the same error.

<servername1234.xyz.com> ESTABLISH SSH CONNECTION FOR USER: autouser
<servername1234.xyz.com> SSH: EXEC sshpass -d10 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="autouser"' -o ConnectTimeout=10 -o 'ControlPath="/runner/cp/f1d16e4965"' servername1234.xyz.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp `"&& mkdir "` echo ~/.ansible/tmp/ansible-tmp-1727992536.7384903-25-237630304590132 `" && echo ansible-tmp-1727882536.7384903-25-237640406490132="` echo ~/.ansible/tmp/ansible-tmp-1727882536.7384903-25-237630306490132 `" ) && sleep 0'"'"''

And we get this error

debug3: mux_client_request_session: session request sent\\r\\n/bin/sh -c ( umask 77 && mkdir -p "` echo ~/.ansible/tmp `"&& mkdir "` echo ~/.ansible/tmp/ansible-tmp-1727882536.7384903-25-237630306490132 `" && echo ansible-tmp-1727882536.7384903-25-237630306490132="` echo ~/.ansible/tmp/ansible-tmp-1727882536.7384903-25-237630306490132 `" ) && sleep 0 : command not allowed\\ndebug3: mux_client_read_packet: read header failed: Broken pipe\\r\\ndebug2: Received exit status from master 127\\r\\n')
<servername1234.xyz.com> Failed to connect to the host via ssh: OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021\r

And as a result , the playbook fails. But, note that these commands are not part of the playbook I’ve written. Rather ansible is adding them in the background.

All of these commands are individually part of the restricted shell for autouser. But, because /bin/sh -c is passed by ansible, Centrify is rejecting them.

Locally, via putty if I execute the command without the /bin/sh -c , I get the output without any error.


[root@servername789 ~]# ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="autouser"' -o ConnectTimeout=10   servername1234 echo ~autouser && sleep 0

This computer system (including all hardware, software, electronic mail and
the network) that you have accessed or will access is for the sole use of
Company-authorized users (including contractors, consultants, and employees)
in their conduct of Company-related business.  

System users are accountable for the use and security of their passwords.

autouser@servername1234's password:
/home/autouser

As you can see the command worked, when I removed the /bin/sh -c , the quotations etc. So there is no issue with the restricted shell setup. Rather the problem is that Ansible is forcibly adding /bin/sh -c.

We’ve tried all different options of not including any shell , but we’re unable to find a solution to this problem.

Please provide some guidance. It will be of great help, as I’m struggling with this for a few months. Thank you for your help.

Regards,

mikemorency · October 8, 2024, 3:46pm

Maybe the raw module would work for you. But if your using ansible to just run a bunch of raw tasks, you probably shouldnt use ansible.

Ansible does wrap the commands you put in the playbook in other commands, like you noticed. Thats one of the advantages of ansible, it allows you to have better error handling and outputs than just using a shell script.

Your approach to authorization could be improved, IMO. Instead of (overly) restricting what the autouser can do, you should restrict who can modify/execute playbooks that will run as the autouser. You will have better auditing on who in your org actually does stuff, and you can still audit the autouser and flag any suspicious activity for review.

sivel · October 8, 2024, 5:41pm

Ultimately I’m unsure of the feasability to get ansible working with such a restricted shell. This is one of those things that is “left to the reader” to research and determine if it can be done.

don.salves · October 8, 2024, 7:59pm

now also doesn’t work unfortunately. Thank you for the reply.

don.salves · October 9, 2024, 4:17pm

We resolved this issue by updating the restricted shell to accept commands such as /bin/sh -c *. Only then did it work.

Thanks.

mcen1 · October 9, 2024, 4:54pm

Not really much of a restricted shell now then!