Trying to use become

Hi all

I’m having a bit of an issue with “become”. This server actually asks for the root password when sudo is invoked. Let me re-state: Not the login user password, the root password. When I login “manually” I see this:

  $ sudo su -
  [sudo] password for root:

I’m trying to use the ‘su’ become plugin. I keep getting

  'FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt:'

when trying to use become.

group_vars looks like this:

  ---
  vars:
    ansible_become_method: 'su'
    ansible_user: 'login_user'
    ansible_become_exe: 'sudo -p "Password: " su -'   ### saw this somewhere...

and the host vars looks like this:

  ---
  vars:
    b: "server-id"
    c: "project-id"
    r: "aws-region"
    ansible_host: "{{c}}_{{b}}"
    ansible_ssh_private_key_file: "~/.env/sec/ssh/w/{{c}}.{{r}}.pem"
    ansible_become_password: "{{ lookup('passwordstore',
    'services/aws/'+c+'/'+r+'/ec2/hosts/'+b+'/admin/root' ) }}"

Trying to run the most basic playbook ever (as root):

  ---
  - name: linux.os_version
    hosts: project-id_server-id
    become: true
    become_method: 'su'
    gather_facts: false
    tasks:
      - name: get os version
        ansible.builtin.shell: "pp=$(cat /etc/os-release | grep -i pretty) ; echo $pp | cut -d'=' -f2"
        register: osver
      - ansible.builtin.debug: var=osver.stdout_lines

That play is invoked like this:

ansible-playbook $ansible_dir/linux.os_version.yml

Been trying different variations of this and always getting the same result.
The passwordstore plugin, I have tested, and I know it works.

ansible [core 2.17.3]
  config file = /home/user/ansible/ansible.cfg
  configured module search path = ['/home/user/ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/user/ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.5 (main, Aug  9 2024, 08:20:41) [GCC 14.2.1 20240805] (/usr/bin/python)
  jinja version = 3.1.4
  libyaml = True

If any kind soul would have it in them to tell me what I’m doing wrong, that would be most appreciated.

Thanks

The sudo and su become plugins do NOT allow for stacking methods. I advise to setup sudo OR su to allow for your usage as they are redundant. sudo su - <user> is the same as sudo -i -u <user> and you only have 1 surface area of attack (sudo).

But if you cannot change your setup, there is always community.general.sudosu become – Run tasks using sudo su - — Ansible Community Documentation

thank you for the reply.

I indeed cannot change how sudo is setup.
the sudo su - bit actually was there just to prove a point, but unfortunately it distracted from the goal.
The idea is to use su.

I will try the sudosu plugin and see what happens.
Thank you.

So after a very long troubleshooting process, I’ve found the solution to my issues, and wanted to mark the post as solved.
I actually learned about my issue in an non-accepted answer of an unrelated post on stackoverflow.

so quite random tbh.

but what he says is true.
I took the “vars:” line out in my group_vars and host_vars files, and it indeed solved my issue.

Thank you Brian for bothering to reply, your effort actually spurred me to begin challenging my assumptions about my setup.

best

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.