Hello,
I’s like to manage a bastion appliance “Wallix Access Manager”. This appliance require a two-step sudo escalation to become root, and I don’t want to create an alternate user with specific sudoers setup as it would violate the appliance security model…
So the “official path” is :
- ssh on port 2242 using
wabadminaccount. Not a problem with Ansible - elevate as
wabsuperaccount usingsupercommand : actually a wrapper tosudo -u wabsupersudo -u wabsuper /bin/bash -c "$*"orsudo -u wabsuper /bin/bash --login` depending of shell context. - impersonate as
rootwith asudo su -
Of course the user password is asked everytime.
The groups ownership for the users are as follows:
uid=1000(wabadmin) gid=1000(wabadmin) groups=1000(wabadmin)
uid=1002(wabsuper) gid=1003(wabsuper) groups=1003(wabsuper),1002(wabgroup)
uid=0(root) gid=0(root) groups=0(root)
So I tried to write a become plugin by forking the core sudo plugin. But of course I facing issues !
First problem
As user wabsuper can’t read file dropped with the remote user wabadmin in ansible temp directory for task execution, because ansible connection creates files with 0o600 privileges and this is not tunable.
So even if the first elevation wabadmin → wabsuper exits successfully, Ansible can’t execute the task payload because the elevated user on remote can’t read the task script dropped by the remote access user !
I’d need to change on the fly privileges to the temp script. But in the become plugin scope I don’t have the information of the temporary script location
Second problem
If I want to become root, I need to nest sudo invokation like this 
sudo -S -H -p "[sudo via ansible, key=test] password:" \
-u wabsuper \
/bin/bash -c 'echo BECOME-SUCCESS-feyrwphcvznfkswowpxzecugjjlulssm ; \
sudo -S -H -p "[sudo via ansible, key=hkiuzuaotpnbzinrsequgzojxauzvrya] password:" \
bin/bash -c "echo BECOME-SUCCESS-feyrwphcvznfkswowpxzecugjjlulssm ; cat /etc/shadow"'
The cat /etc/shadow is here for purpose of a root-only task 
But of course as the target system requests 2 times the password, I get the following message:
fatal: [wallix-am1.abyss.corp]: FAILED! => {"msg": "Timeout (32s) waiting for privilege escalation prompt: "}
And I didn’t found a way to adress this issue as well:'(
Thanks,
Eric