SmartOS/Illumos pfexec support

Preston_Marshall · February 12, 2015, 9:39pm

Hi all, I am working on writing some Ansible playbooks to manage my SmartOS deployment. I’m using Illumos/SmartOS’s support for RBAC instead of sudo/su, but I’m running into some issues with it.

Basically I just need to run pfexec before each command so it executes with my user’s profiles (privileges). I was hoping ANSIBLE_SUDO_EXE or even ANSIBLE_EXECUTABLE would help, but unfortunately pfexec does not accept the same (immutable) flags as sudo, and setting ANSIBLE_EXECUTABLE to pfbash (basically like doing pfexec /bin/bash) causes PUTs to fail on the SSH level for some reason.

Adding pfexec support to Ansible seems like it would be a lot of work for not much gain, so I was considering writing a wrapper to pfexec to translate the sudo flags to pfexec flags. Has anyone else run into this or have any ideas on how to solve this better?

Thanks,
Preston

Brian_Coca · February 13, 2015, 3:40pm

I'm currently revamping the privilege escalation system to both
generalize it and allow for easier addition of new systems. Once I
have this working we can look into adapting pfexec.

Preston_Marshall · March 2, 2015, 10:53pm

I ended up just hacking in an if check to just execute things with pfexec instead of sudo with no flags, and it seems to work fine. I know it’s ugly but I figured I would at least mention it.

Thanks,
Preston

Topic		Replies	Views
Use pfexec instead of sudo Ansible Project	5	1	February 13, 2015
Sudo support… works!(?) in both ansible and ansible-playbook, testing needed Ansible Project	3	0	March 30, 2012
privilege escalation refactoring Ansible Developer	0	0	March 8, 2015
Another sudo issue Ansible Project	3	2	June 18, 2014
parsing YAML vs sudo Ansible Project	2	0	July 15, 2013

SmartOS/Illumos pfexec support

Related topics