Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.2k views
in Technique[技术] by (71.8m points)

programmatically create sudo rules for running ansible-playbook

How could I create a list for all possible commands an ansible-playbook is using so that I could create a sudoers file?

For testing the playbooks, temporally I create an entry in the /etc/sudoers.d:

tempuser ALL=(ALL:ALL) NOPASSWD:ALL

But is there a plugin or way to get like the list of commands so that I could later create a list like

tempuser ALL= NOPASSWD:  /bin/systemctl start  mariadb.service
...

Any ideas?

question from:https://stackoverflow.com/questions/66046666/programmatically-create-sudo-rules-for-running-ansible-playbook

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

If you intend to use privilege escalation with ansible then privilege escalation must be general

You cannot limit privilege escalation permissions to certain commands. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. If you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail with ansible as those paths won’t match with the temporary file that Ansible creates to run the module. If you have security rules that constrain your sudo/pbrun/doas environment to running specific command paths only, use Ansible from a special account that does not have this constraint, or use Red Hat Ansible Tower to manage indirect access to SSH credentials.

As demonstrated in the above documentation quote, this is a well known limitation of the tool. If this is a problem in your environment, either look at the above proposed workarounds in documentation quote, or don't use ansible at all.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...