1

This is my simple playbook,

---
- name: test
  hosts: all
  tasks:
     - name: testing
       shell: /usr/bin/whoami
       register: testing

     - name: show the result
       debug:
          msg: "{{ testing.stdout }}"

When I try to use this using user1 I get correct the expected output as user1.

However, my requirement is to run the shell command using a root user. Something like sudo whoami.

So I modified the playbook like this.

---
- name: test
  hosts: all
  tasks:
     - name: testing
       shell: /usr/bin/whoami
       become: true
       register: testing

     - name: show the result
       debug:
          msg: "{{ testing.stdout }}"

However, I keep getting following error,

fatal: [xxxxxxxxx]: FAILED! => {
    "msg": "Missing sudo password"
}

Can anybody please help understand what I am missing here?

To allow the user1 to run this as sudo, root, I have added following entry in the sudoers file.

user1 ALL=(ALL:ALL) /usr/bin/whoami

Also, to avoid the providing user1 password, I added following entry to the local ansible.cfg

[privilege_escalation]
become_ask_pass=False

Still getting the same error mentioned above.

Improve this question
4
  • 1
    Ansible ships Python code to your nodes and that is what is run as sudo, not the command as defined in the shell module, hence why Ansible specifically explain that privilege escalation must be general. Commented Jan 9, 2024 at 8:19
  • 1
    Best practice is user1 ALL=(ALL) NOPASSWD: ALL Commented Jan 9, 2024 at 8:22
  • 1
    Thanks for the prompt response @VladimirBotka. Yes, user1 ALL=(ALL) NOPASSWD: ALL works fine. But our security team is not agreeing to this. Do you know how to decide what all commands I need to add explicitly? Commented Jan 9, 2024 at 8:46
  • Point your security team to Privilege escalation must be general. Quoting: "You cannot limit privilege escalation permissions to certain commands. ..." Commented Jan 9, 2024 at 10:28

1 Answer 1

Reset to default
3

user1 ALL=(ALL) NOPASSWD: ALL works fine. But our security team is not agreeing to this.

An example playbook

---
- hosts: test
  become: true
  gather_facts: false

  tasks:

  - name: Execute
    shell:
      cmd: "id"
    register: output

  - debug:
      var: output

with an output of

TASK [debug] ************************************************
ok: [test.example.com] =>
  output:
    changed: true
    cmd: id
    delta: '0:00:00.014084'
    end: '2024-01-09 10:55:00.340407'
    failed: false
    msg: ''
    rc: 0
    start: '2024-01-09 10:55:00.326323'
    stderr: ''
    stderr_lines: []
    stdout: uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    stdout_lines:
    - uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

shows with sudo tail -F /var/log/secure on the Remote Node

Jan  9 10:55:00 test.example.com sshd[32004]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.0.2.1 user=ansible_user
Jan  9 10:55:00 test.example.com sshd[32004]: Accepted password for ansible_user from 192.0.2.1 port 48984 ssh2
Jan  9 10:55:00 test.example.com sshd[32004]: pam_unix(sshd:session): session opened for user ansible_user by (uid=0)
Jan  9 10:55:00 test.example.com sudo: ansible_user : TTY=pts/6 ; PWD=/home/ansible_user ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-<id> ; /usr/bin/python /home/ansible_user/.ansible/tmp/ansible-tmp-<timestamp>-<id>/AnsiballZ_<modulename>.py
Jan  9 10:55:00 test.example.com sudo: pam_unix(sudo:session): session opened for user root by ansible_user(uid=0)
Jan  9 10:55:00 test.example.com sudo: pam_unix(sudo:session): session closed for user root

To Summarize

How to decide what all commands I need to add explicitly?

The command executed in the example was

/bin/sh -c echo BECOME-SUCCESS-<id> ; /usr/bin/python /home/ansible_user/.ansible/tmp/ansible-tmp-<timestamp>-<id>/AnsiballZ_<modulename>.py

Therefore you could try to add in sudoers file a line at the end, like in tail -1 /etc/sudoers

#includedir /etc/sudoers.d

and under /ect/sudoers.d a file /etc/sudoers.d/ansible

ansible_user    ALL=(ALL)    NOPASSWD: /bin/sh -c echo BECOME-SUCCESS-* ; /usr/bin/python *

for Ansible Modules written in Python.

Further Reading

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks a lot @U880D. This makes a lot sense. Let me try this out.
This resolved my issue. Thanks a lot once again for your prompt help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.