Using sudosh instead of just sudo

I am trying to meet a corporate requirement wherein ansible’s actions are recorded by sudosh on each server it touches. I tried changing “executable” from /bin/sh to /usr/bin/sudosh, but sudosh doesn’t have the corresponding -c parameter (it has one, but with different meaning). I tried making ansible’s login shell be /usr/bin/sudosh. That works for non-sudo operations–I can ls /tmp and that works. However, if I try to sudo from the sudosh shell, I get the following error:

…isn’t allowed to be executed with process or redirect controls.

I don’t see a lot of information on this particular error in the context of sudo/sh.

Is it even feasible/possible to do what I’m trying to do?

Thanks…

Darren

Hi Darren,

Hmm… so yeah if http://docs.ansible.com/intro_configuration.html#sudo-exe does not help, it seems we need to have another setting that if set adds the “-c”, so it can be removed.

Maybe this would work if it were tunable?

I believe this would be easy to implement.

Something like “base_sudo_flags=-c” # etc

and you could remove it…

–Michael

So I separated out the sudosh from the sudo. Having sudosh as a login shell works and records like it should, so I don’t think you need to have another setting.

This works:
ansible myserver -a “ls /tmp” and so does this: ansible myserver -a “sudo ls /tmp”

This doesn’t:
ansible myserver -a “ls /tmp” --sudo

That is where I get the redirection error.

Darren

I have a similar requirement. Most operations are locked down to root, so I can SSH to a host as myself and then “sudo sudosh” to become root and do what I need. Is it possible to do this with Ansible?

For example, as myself I can’t check the status of docker (running “service docker status” returns "docker status unknown due to insufficient privileges).

I’ve tried using combinations of “remote_user”, “sudo” and “sudo_user” without luck, ansible hangs b/c it’s trying to do “sudo …” which I can’t do (I have to “sudo sudosh”, then I can run things). I could possibly have changes made to /etc/sudoers to allow my user to be able to “sudo” certain commands, but what I’m not sure which commands I’d need to enable.

Thanks in advance for any help.

Was there ever a resolution to this? I’m running into the same issue. “sudo sudosh” is my only option for privilege escalation.

Thanks,
Nick

Was there ever a resolution to this? I’m in a similar situation in which I can only switch to root using “sudo sudosh” or “sudo -s”. I’ve tried using “become_flags: ‘-s’”, but with no luck. Am I missing something else?

Nick - the only thing that ended up working for us was to add the commands we needed to run to /etc/sudoers ( in believe that’s the correct place). That was very painful and annoying.

We ended up switching to Salt.

Good luck!

Looks like this might solve my issue. https://github.com/ansible/ansible/issues/22718#issuecomment-287193691

Set “executable” in the ansible.cfg to “sudosh”

I’ll have to try it tomorrow at work.

I wasn't successful. Not sure if you can run commands in conjunction with the privilege escalation. With "sudo sudosh" you have to completely switch to root, and then rub your commands.

Did you ever get a resolution on this?

No. Sorry.