su_exe feature

Archives Ansible Project
1

Hi

I see that Ansible has sudo_exe feature for alternative sudo implementations. Would it be possible to implement also su_exe for alternative su implementations? In particular I am interested in CA AccessControl sesu utility: https://support.ca.com/cadocs/0/CA%20Access%20Control%2012%205%205-ENU/Bookshelf_Files/HTML/1358981.html

Thanks
Edgars

2

I think so. (Would be open to contributions, but we could also do it ourself if needed).

Is it mostly flag compatible?

The one thing I want to fix with sudo_exe is it should be settable per inventory host, so we’ll probably do that at the same time too, and leave the ansible.cfg setting for a default.

–Michael

3

Well, sesu supports “-” flag and “-c” flag just like su. Those two are most important I guess. The main difference is that su requires root password when you switch to root while sesu requires user password, just like sudo. But I don’t think that this should be problem.

Edgars

pirmdiena, 2014. gada 8. septembris 15:19:13 UTC+2, Michael DeHaan rakstīja:

4

excellent!

5

Was there any update on adding ability to use sesu? Note that in our case sesu does NOT prompt for the ‘to become’ user. Here is how we use it:

  1. login under my personal user id
  2. run “sesu - <to_become_user_id>”
  3. … it will NOT ask for any password and will directly log me under the to_become_user_id

FYI here is the the output of sesu --help:

CA ControlMinder sesu v12.80.0.1494 - Surrogate utility
Copyright (c) 2013 CA. All rights reserved.

Usage: sesu [-] [name] [-l] [-n] [-s shell] [-c command]
-h Displays this help and exits.
Changes ID associated with session to that of
user.

  • Same but sets environment like the target user.
    -l shell will be a login shell. This option is currently supported only on Linux
    -s Next argument is a shell that will be used instead of the user’s default shell. This option is currently supported only on Linux
    -c Next argument is a command.
    -n Do not prompt for invoker password.
    NOTE: If the security authorization server is not found, system
    /bin/su will be used instead.

and here is a bit of more info from man page:

NAME
sesu - Surrogate utility

SYNOPSIS
sesu [ - ] [ options ] [ name ]

DESCRIPTION
The sesu utility provides a transparent su command that does not require the user
to provide the password of the substituted user. The authorization process is based
solely on AccessControl access rules as defined in class SURROGATE.

… hope that helps a bit :slight_smile:

6

try setting ansible_su_exe in the inventory

7

Thanks Brian - I didn’t know that’s possible (it is not documented in the default config file) - yes, that actually gets me much closer - THANK YOU :slight_smile:

However I am now getting another error since ansible does not seem to be able to ignore the standard ‘login information messages’ during the su / sesu login process…

Here is what I did:

Edit /etc/ansible/ansible.cfg:

su_exe = /usr/seos/bin/sesu
su_flags = -

the ‘-’ flag will make sure that I also set the users’ environment - which ultimately triggers the standard welcome login messages etc.

so then when I run this

ansible prime -i inv_file -m ping -u my_real_user -S -R user_to_sesu -k

I get:

servername.com | FAILED => failed to parse:

8

You are right on that one, however the documentation does hint to constants.py
in the repo so with that handy:

   ~/work/ansible/ansible-project $ fgrep -r "su_exe" .
   ./test/units/playbook/test_play_context.py: su_exe = C.DEFAULT_SU_EXE
   ./test/units/playbook/test_play_context.py: self.assertEqual(cmd, """%s -c '%s %s -c "%s -c '"'"'echo %s; %s'"'"'"'""" % (default_exe, su_exe, play_context.become_user, default_exe, play_context.success_key, default_cmd))
   ./lib/ansible/constants.py:DEFAULT_SU_EXE = get_config(p, DEFAULTS, 'su_exe', 'ANSIBLE_SU_EXE', 'su')
   ./lib/ansible/playbook/play_context.py: su_exe = ('ansible_su_exe',),
   ./lib/ansible/playbook/play_context.py: _su_exe = FieldAttribute(isa='string')
   ./lib/ansible/playbook/play_context.py: exe = self.become_exe or self.su_exe or 'su'

:wink:

9

ansible avoids doing full logins on purpose to avoid things like that,
so adding - to the options will break.

10

Steve,
yup, I found that later on as well - was not used to read source code to get ‘documentation’ - but am learning :slight_smile:

Brian,
ok, so what is the solution?

I need to run ‘sesu -’ otherwise the commands will not be executed properly since they require the environment to be setup as per the target user…

11

This works for me:

in ansible.cfg

`
[defaults]
ask_pass = True
su_exe = /opt/CA/AccessControl/bin/sesu
su_flags = -
executable = /bin/bash

[privilege_escalation]
become = True
become_ask_pass = True
become_user = root
become_method = su
`

In su_prompts.py add new prompt:

SU_PROMPT_LOCALIZATIONS = [ 'Please enter your password', ...

If you don’t have sesu password, then perhaps you don’t need to add prompt and also set become_ask_pass = False

Hope it helps
Edgars

pirmdiena, 2014. gada 8. septembris 14:53:46 UTC+2, Edgars rakstīja:

12

hi Edgars,

thx for sharing - I guess the key issue I have now really is that ansible is not able to ignore the ‘login messages’ - they seem to be ignored by the ‘remote user’ (ansible ‘-u’ parameter) but ansible is not able to ignore them when doing su (resp. sesu)… Which of the above you think would specifically address this?

Martin

13

Martin

Can you give example of ‘login messages’. Is it some banner or MotD? We also have multi-line banner when users ssh in and ansible works just fine. We just had a problem with su prompt and had to add sesu prompt in su_prompts.py

Edgars

pirmdiena, 2014. gada 8. septembris 14:53:46 UTC+2, Edgars rakstīja:

14

Hi Edgars,

apologize for slow response - sure - you can actually see it in my post from Aug 31st. But here it is again: