Help for community.general.sudoers collection

souovan · April 10, 2024, 2:09pm

Hi guys i have a task to use community.general.sudoers collection to do some configurations to sudoers file, but based on the collection documentation i didnt see a way of doing that, anyone has already used this collection for this purpose ?

The task i need to do is set some configs like the list below to a user or group, but following the collection doc i didnt find a way of doing this, seems like the collection only allow to explicitly set which commands user or group can have access by pointing to its binarie

!PASSWD
!SU
NOPASSWD: ALL

Denney-tech · April 10, 2024, 2:35pm

I don’t see any reason why you can’t use the module you found? community.general.sudoers module – Manage sudoers files — Ansible Community Documentation

- name:  Restrict sudoer's access
  community.general.sudoers:
    name: my_custom_rule
    user: username
    # group: group_name # mutually exclusive with user:
    host: ALL 
    nopassword: true
    commands:
      - '!PASSWD'
      - '!SU'

creates /etc/sudoers.d/my_custom_rule with

username ALL=NOPASSWD: !PASSWD, !SU

Does this not acheive what you’re after? The only thing of note I see is that this doesn’t let you create multiple lines/rules in the same file.

Alternatively, you can use the copy, template, or lineinfile modules and use the validate: /usr/sbin/visudo -cf %s parameter to ensure the changes you make won’t break sudoers.

souovan · April 10, 2024, 4:37pm

Thank you for your help, i had a typo on:

!PASSWD
!SU

now i did as you purpose using single quotes:

‘!PASSWD’
‘!SU’

Now what i’m not understanding is that i already had the collection installed:

[van@aap sudoers]$ ansible-galaxy collection list

# /usr/share/ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 4.8.9

# /home/van/.ansible/collections/ansible_collections
Collection               Version
------------------------ -------
community.general        5.8.0
redhat.rhel_system_roles 1.23.0

had alread pointed to it on ansible.cfg

[van@aap sudoers]$ cat ansible.cfg
[defaults]
inventory = hosts
roles_path = /usr/share/ansible/collections/ansible_collections
[privilege_escalation]
become_method = sudo

but i’m getting error to use it

[van@aap sudoers]$ ansible-playbook tasks/main.yaml --user root
ERROR! 'community.general.sudoers' is not a valid attribute for a Play

The error appears to be in '/home/van/roles/sudoers/tasks/main.yaml': line 3, column 7, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


    - name: Configure sudoers to enable group to execute commands
      ^ here

what iam doing wrong ?

Denney-tech · April 10, 2024, 5:02pm

You can’t execute a tasks file as a playbook. If it’s part of a role, you need to call the role from a playbook, otherwise you can use include_tasks: to call it. (though technically you can include_tasks directly to a task file in a role if you can path to it)

souovan · April 10, 2024, 5:42pm

But my playbook is following your example as follows:

---

    - name: Configure sudoers to enable group to execute commands
      community.general.sudoers:
        become: true
        group: teste
        commands:
          - ALL
          - '!PASSWD'
          - '!SU'

    - name: Configure sudoers to enable users to execute commands
      community.general.sudoers:
        become: true
        user: teste1
        nopassword: true
        commands:
          - ALL

    - name: Insert conf sudoers
      ansible.builtin.lineinfile:
        become: true
        path: /etc/sudoers
        line: "{{ item }}"
      with_items:
        - "###Configurações de acesso para usuários do AD###"
        - "cmd_alias PASSWD=/usr/bin/passwd"
        - "cmd_alias SU=/bin/su"

Denney-tech · April 10, 2024, 5:47pm

Your snippet is just a tasks file, it’s missing play keys:

---
- name: Configure sudo
  hosts: all
  tasks:
    - name: Configure sudoers to enable group to execute commands
      community.general.sudoers:
        become: true
        group: teste
        commands:
          - ALL
          - '!PASSWD'
          - '!SU'

    - name: Configure sudoers to enable users to execute commands
      community.general.sudoers:
        become: true
        user: teste1
        nopassword: true
        commands:
          - ALL

    - name: Insert conf sudoers
      ansible.builtin.lineinfile:
        become: true
        path: /etc/sudoers
        line: "{{ item }}"
        validate: /usr/sbin/visudo -cf %s
      with_items:
        - "###Configurações de acesso para usuários do AD###"
        - "cmd_alias PASSWD=/usr/bin/passwd"
        - "cmd_alias SU=/bin/su"

Edit: You also didn’t validate your sudo changes with lineinfile.