In sudoers file I have only (can’t change it)
%user ALL=(ALL) NOPASSWD: /bin/su - jboss
How can I sudo to jboss and then run some command?
I tried something like
- become: yes
become_user: "jboss"
raw: "touch test"
or
raw: "sudo su - jboss -c touch test"
but always ended:
Sorry, user is not allowed to execute ‘command’ as jboss
This is being asked frequently, and AFAIK the only answer is:
You can't.
Ansible stuffs a lot of voodoo around the actual commands, so it needs
your ansible_user to have NOPASSWD set for all commands.
Workaround:
You can store the become_pass in an ansible-vault-encrypted file, so
it can be given when sudo asks for it. This means your ansible_user
has to have the ability to issue all kinds of commands via sudo with
being asked for the password.
Johannes
The problem here is that ansible does not support chaining privilege escalation methods (sudo OR su, not both).
%user ALL=(jboss) NOPASSWD: ALL
or
%user ALL=(jboss) ALL
would allow you to use sudo, or if you have the jboss user password you can use ‘su’, but Ansible cannot use the combination of the 2. Sadly this is a common pattern even though it is not needed as sudo can give you the same functionality w/o chaning su (as shown above).
I am sorry, I was unclear. I meant if you want *passwordless* sudo,
you need it for all commands, not just for some.
Of course sudo with prompting for the password (which can be supplied
in a lot of ways) works.
Johannes