trying to use become

jyrki · September 16, 2024, 8:22am

Hi all

I’m having a bit of an issue with “become”. This server actually asks for the root password when sudo is invoked. Let me re-state: Not the login user password, the root password. When I login “manually” I see this:

  $ sudo su -
  [sudo] password for root:

I’m trying to use the ‘su’ become plugin. I keep getting

  'FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt:'

when trying to use become.

group_vars looks like this:

  ---
  vars:
    ansible_become_method: 'su'
    ansible_user: 'login_user'
    ansible_become_exe: 'sudo -p "Password: " su -'   ### saw this somewhere...

and the host vars looks like this:

  ---
  vars:
    b: "server-id"
    c: "project-id"
    r: "aws-region"
    ansible_host: "{{c}}_{{b}}"
    ansible_ssh_private_key_file: "~/.env/sec/ssh/w/{{c}}.{{r}}.pem"
    ansible_become_password: "{{ lookup('passwordstore',
    'services/aws/'+c+'/'+r+'/ec2/hosts/'+b+'/admin/root' ) }}"

Trying to run the most basic playbook ever (as root):

  ---
  - name: linux.os_version
    hosts: project-id_server-id
    become: true
    become_method: 'su'
    gather_facts: false
    tasks:
      - name: get os version
        ansible.builtin.shell: "pp=$(cat /etc/os-release | grep -i pretty) ; echo $pp | cut -d'=' -f2"
        register: osver
      - ansible.builtin.debug: var=osver.stdout_lines

That play is invoked like this:

ansible-playbook $ansible_dir/linux.os_version.yml

Been trying different variations of this and always getting the same result.
The passwordstore plugin, I have tested, and I know it works.

ansible [core 2.17.3]
  config file = /home/user/ansible/ansible.cfg
  configured module search path = ['/home/user/ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/user/ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.5 (main, Aug  9 2024, 08:20:41) [GCC 14.2.1 20240805] (/usr/bin/python)
  jinja version = 3.1.4
  libyaml = True

If any kind soul would have it in them to tell me what I’m doing wrong, that would be most appreciated.

Thanks

bcoca · September 16, 2024, 6:05pm

The sudo and su become plugins do NOT allow for stacking methods. I advise to setup sudo OR su to allow for your usage as they are redundant. sudo su - <user> is the same as sudo -i -u <user> and you only have 1 surface area of attack (sudo).

But if you cannot change your setup, there is always community.general.sudosu become – Run tasks using sudo su - — Ansible Community Documentation

jyrki · September 16, 2024, 6:14pm

thank you for the reply.

I indeed cannot change how sudo is setup.
the sudo su - bit actually was there just to prove a point, but unfortunately it distracted from the goal.
The idea is to use su.

I will try the sudosu plugin and see what happens.
Thank you.