Privilege escalation - sudo error ansible.posix.sysctl

pepite · September 13, 2024, 8:11am

Hi everybody, i need help please about escalation with sudo and the module ansible.posix.sysctl

In host_vars file :

 ansible_user : admabord
 ansible_password : xxxxx
 ansible_become_user: admtech
 ansible_become_password: xxxxx
 ansible_become_method: sudo

In roles, tasks/main.yml

 - name: Adjust value vm.swappiness
    become: true
    ansible.posix.sysctl:
     name: vm.swappiness
     value: '1'
     state: present
     sysctl_set: true
     reload: true
    register: swap
    ignore_errors: true

  - name: Debug vm.swappiness
    # Comment
    ansible.builtin.debug:
     msg:
     - "{{ swap }}"

In sudoers on remote server

admtech ALL = NOPASSWD: ALL

on remote server this is ok when use defaults ansible become flags

[admabord] $ sudo -H -S -p "xxxxxx" -u admtech /bin/sh -c "sudo touch /etc/test_file2"
[admabord] $ ll /etc/ |grep file2
-rw-r--r--.  1 root root             0 13 sept. 10:02 test_file2

or this is OK too
[admabord] $ sudo -H -S -p "admabord" -u admtech /bin/sh -c "sudo vi /etc/sysctl.conf"
the file sysctl.conf opened and i can write and save it

# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

But this error appear with the tasks
"msg": "setting vm.swappiness failed: sysctl: permission denied on key 'vm.swappiness'\n"

I dont find what is my mistake
Is anybody has an idea please

Thanks,
Best regards

RayJin2000 · September 13, 2024, 8:39am

Have you tested any other task on this host with sudo, like creating a dir?
Have you tried changing vm.swappiness by hand?

sudo sysctl vm.swappiness=1

Maybe you cant change it: swap - Permission denied when changing swappiness - Ask Ubuntu

pepite · September 13, 2024, 9:12am

Thanks for the answer @RayJin2000

Yes i retry for being sure

[admabord] $ sudo -H -S -p "xxxxx" -u admtech /bin/sh -c "sudo mkdir -p /etc/testdir"
[admabord] $ ll /etc/ |grep dir
drwxr-xr-x.  2 root root             6 13 sept. 11:09 testdir
[admabord] $ sudo -H -S -p "xxxxxx" -u admtech /bin/sh -c "sudo sysctl vm.swappiness"
vm.swappiness = 15

RayJin2000 · September 13, 2024, 9:27am

I meant, have you tried creating a directory with ansible?
Maybe you need to change some of the default ansible_sudo_* Envvars

pepite · September 13, 2024, 12:20pm

You agree, i have the same error for creating directory in /etc with the become

I trie to change the flags but nothing is ok actually
i try this too become_flags: -s
but KO with ansible and OK in CLI on the remote

pepite · September 13, 2024, 12:51pm

Hi

And this works

- name: Return motd to registered var
  become: true
  ansible.builtin.command: sudo touch /etc/sysctl.d/test_ansible.conf

Is anybody know how use sudo with a module like file for doing the same thing as command module

RayJin2000 · September 16, 2024, 7:26am

- name: Touch a file
  ansible.builtin.file:
    path: /etc/foo.conf
    state: touch
    mode: u=rw,g=r,o=r

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html