I have been working to implement anisble solution to manage Apache and WCS.
Through my playbook, I am logging into remote server with myuser and switching to ihsadm(which is apache admin) using sudo option and trying to restart apache. I have enabled NOPASSWD in my remote machine sudoer file so ansible doesn’t prompt for a password.
My playbook works fine if my remote machine sudoer file has below setting
myuser ALL=(ALL) NOPASSWD: ALL
myuser ALL=(ALL) NOPASSWD: /bin/sh -c *
But, Above setting is equivalent to granting root access to myuser, which is essentially not the right way to do it. I only want to let myuser, to execute any task that ihsadm(apache owner) could execute, so to do this I have modified sudoer file as below.
myuser ALL=(ALL) NOPASSWD: /bin/su - ihsadm
Unfortunately above setting is not solving the problem, my playbook keeps on failing saying missing password.
Please find below chunk of command being generated by ansible playbook…
I thought it be nice to share my playbook with you to give u more idea. If you see the command I have shared earlier, ansible trying to sudo -u ihsadm only, but still it asks for password.
Note: If I try to manually sudo to ihsadm I was not asked to enter password (with: myuser ALL=(ALL) NOPASSWD: /bin/su - ihsadm).
will NOT WORK with ansible, this is not allowing ansible to sudo as a
user, it allows you to use sudo to su into a user, which ansible does
NOT chain sudo and su.
sudo: yes
sudo_user: ihsadm
is the equivalent of running all commands as "sudo -u ihsadm -c
'<commands here>' ", it does not run su at all.
will NOT WORK with ansible, this is not allowing ansible to sudo as a
user, it allows you to use sudo to su into a user, which ansible does
NOT chain sudo and su.
sudo: yes
sudo_user: ihsadm
Brian,
Are we talking about the same thing with different words?
The sudo line above will:
make sudo accept to use any target user (-u to sudo)
will not make /bin/su magically exempt from /etc/pam.d/su – which by default only allows root a passwordless operation on most distros
The sudo_user (ihsadm) from ansible will:
“sudo -u ihsadm …”
This combination leads to the situation where ansible will try to:
sudo -u $sudo_user “/bin/su - ihsadm”
** Actually sudo -u $sudo_user /path/to/generated/ansible-script.sh
** plus all the other options that ansible provides for sudo but those are the IMHO relevant things…
which will fail miserably (read: will prompt for a password for the ihsadm user). Be it ansible or shell…
I still stand by it:
myuser ALL = (ALL) NOPASSWD: ALL
is a superset of
myuser ALL = (ihsadm) NOPASSWD: ALL
from the POV sudo has. So it is a simple sudo issue and in no way related to ansible…
Martin, you are correct about it being a superset, I might have
misunderstood that what Raja wanted was to give myuser the ability to
run as ihsadm but not as root. My setting was INSTEAD, not in
addition to the existing ones.