Hi guys,
So being new to Ansible I recently bumped into what seems to be a sudo security issue in Ansible, which I suppose is a well-known thing in Ansible community, but for whatever reasons I couldn’t find a lot of info on it by googling for about half a day or who knows maybe I am a bad researcher.
Goal
Run Ansible tasks with some privileged user by using its sudo rights
Summary
So we have an environment where we use a specific user for multiple applications that we maintain. This user has a limited set of sudo rules. I am obviously trying to use some of these commands through Ansible so I could deploy some stuff.
All rules are in a similar format like this:
%caadmin ALL=(root) NOPASSWD: /etc/init.d/sdm* *
therefore command example: sudo /etc/init.d/sdmconnectorTest start
On the Ansible side I have tasks which either use shell module or template modules
Issue
As you might be aware, before Ansible would run the task, it would actually copy to the remote device the tasks(modules) as python scripts and it would run the python scripts as root user by gaining access to the root bash. So the following command would be tried by Ansible
sudo -H -S -n -u root /bin/sh -c ‘"’“'”‘"’“'”‘"’"'echo BECOME-SUCCESS………;
I did some tests in one of my lab environments where I could see that this type of sudo right, if it were to be deployed actually provides full root control to the remote user (Ansible). Obviously our SysAdmins would never agree to provide this right to any user. Tests below:
[caadmin@oc001 ~]$ vim /etc/sudoers
caadmin ALL=(ALL:ALL) NOPASSWD: /bin/sh -c echo B*
[caadmin@oc001 ~]$ sudo /bin/sh -c “echo Bar; /bin/sh”
Bar
sh-4.2# whoami
root
Solutions/Questions
- I know I can specify in shell module to use right away sudo in front of the command to get my desired sudo access without using become
- I know I could somehow copy/paste the templates from Ansible project to the remote machine and from there use a shell module to use the sudo command, as specified in point 1, in order to achieve my goal by copying files from user home dir to /etc/init.d/ dir
So there are potential workarounds, but what would be the best practice for this kind of situation?
What is your experience?